DMARC Checker: Look Up SPF, DKIM & DMARC
Reads the e-mail security DNS records of a domain: SPF, DMARC, DKIM and MX. Domains without SPF and DMARC can be spoofed for phishing.
What does the DMARC lookup check?
The DMARC lookup reads the four DNS entries that decide whether your email is genuine: SPF (a TXT record starting with v=spf1 that defines which servers may send on behalf of your domain), DMARC (a TXT record at _dmarc.yourdomain carrying the policy p=none, quarantine or reject plus optional reporting via rua), DKIM (the cryptographic signature a receiver uses to confirm a message wasn't altered in transit) and the MX records (your responsible mail servers). In one view you'll see whether your domain is protected against forgery at all.
Why it matters
Without SPF and an enforcing DMARC policy, practically anyone can send email using your domain as the sender — the foundation of phishing and CEO fraud. Only p=quarantine or p=reject actually rejects forged mail. There's a deliverability angle too: since February 2024, Gmail and Yahoo require SPF, DKIM and DMARC from bulk senders — without them your mail lands in spam or is rejected outright.
How to read the result
For SPF, look at the ending: -all (a strict hard fail) or ~all (soft fail) — a missing record or an open +all is a risk. For DMARC, p=none is monitoring only with no protection; real protection starts at p=quarantine and is strongest at p=reject. DKIM should be present and validly signed. A clean setup: SPF ending in -all or ~all, DKIM active, and DMARC at least at quarantine with a reporting address.
Frequently asked questions about DMARC lookup
What's the difference between SPF, DKIM and DMARC?
SPF defines which servers may send, DKIM signs the message cryptographically, and DMARC ties both to a rule for what happens when a check fails.
Is SPF alone enough?
No. Without a DMARC policy, many receivers ignore an SPF failure — only DMARC enforces a consequence.
What does p=none mean?
Monitoring only: you receive reports, but forged mail is still delivered. As a permanent state it offers no protection.
Do I need DMARC if I don't send any email?
Yes — especially then. A p=reject policy stops your unused domain from being abused for phishing.
Need the full audit? The full Webscan Radar security check combines DMARC lookup with all other areas plus GDPR audit, CMS detection, CVE matching and performance measurement in one report — also free.