Free Tool
DMARC Checker
See if receivers can enforce mail authentication on your domain.
What it calculates
DMARC TXT at _dmarc.{domain}: policy (none/quarantine/reject), rua/ruf reporting addresses when published.
Why it matters
DMARC tells receivers what to do when SPF or DKIM fail. Monitoring-only policies leave the domain spoofable.
The Learn Domains moat
Check → Diagnose → Activate → Ship fixes → Measure lift
Monitoring tools stop at the score. Learn Domains turns gaps into ranked actions inside your command center.
- 1Check
You ran the checker on your domain and topic.
Done - 2Diagnose
Readiness score + live mention gaps on missed prompts.
Learn more - 3Activate
Connect site, add Knowledge Base, generate Mission Brief.
Learn more - 4Ship + measure
Growth Orders → content drafts → Signal AI referrals.
Learn more
Apex domain only — no paths, IPs, or ports.
What this checker verifies
DMARC TXT record at _dmarc subdomain, policy directive, and aggregate reporting URI when present.
Scans run from Learn Domains infrastructure against the apex domain you submit. We do not crawl arbitrary URLs, probe ports, or run penetration tests. Results describe observed configuration at scan time.
Treat output as operator signal — not a security certification, ranking guarantee, or legal attestation.
How to interpret the result
p=none is monitoring only. quarantine and reject protect recipients once SPF/DKIM alignment is reliable.
Severity labels rank urgency: critical issues often block traffic or trust; high issues degrade deliverability or crawl efficiency; medium and low items are worth scheduling before they compound.
When a finding is marked inference or needs human review, confirm in your DNS host, CDN, or registrar before shipping a production change.
Common causes of this issue
DMARC never added after SPF setup, policy stuck at none for years, or reporting addresses pointing to expired mailboxes.
Misconfigured migrations, partial CDN setups, and copied DNS templates are the usual culprits. Compare www and apex behavior when redirects look inconsistent.
If you recently changed hosts, allow TTL propagation before re-checking — a stale cache can look like a failure for up to 48 hours.
How to fix it
Start with p=none and rua reporting, confirm aligned SPF/DKIM, then move to quarantine or reject.
Document what you changed and when. Technical change detection inside Learn Domains compares future scans to this baseline so regressions surface in the Operator.
For email posture issues, coordinate with whoever owns your ESP (Google Workspace, SendGrid, etc.) so SPF and DMARC align with live senders.
When to re-check
Monthly during mail stack changes. DMARC misalignment often follows SPF updates.
Re-run after DNS TTL windows, certificate renewals, or deploys that touch edge configuration. Weekly monitoring catches drift before launch deadlines.
Connected workspaces in Learn Domains store scan history — public checks are ephemeral snapshots for visitors.
Related Learn Domains workflows
Combine with SPF checker and Technical Preflight for a full mail authentication picture.
Learn Domains documents mail posture changes in scan history so regressions surface before a launch email blast.
Start a $1 trial to connect the domain, run full Technical Preflight in the Operator (/tech), turn findings into Growth Orders, and monitor technical health alongside Mission Brief priorities.
Examples
Phishing concerns
Scenario: Brand impersonation in outbound sales threads.
Outcome: Checker shows p=none or missing DMARC — receivers won't enforce authentication.
Use cases
- Brand protection
- Enterprise buyer security questionnaires
- ESP compliance
Learn Domains perspective
Learn Domains documents mail posture changes in scan history so regressions surface before a launch email blast.
FAQ
- Is the DMARC Checker free?
- Yes. Anonymous visitors can run a limited number of checks per day. Results are cached briefly to keep scans fast. Full history, change detection, and Growth Orders require a Learn Domains workspace.
- Does this scan my entire site?
- No. Public tools inspect DNS, HTTPS entry points, robots.txt, sitemap discovery, mail records, and response headers for the apex domain. They do not brute-force paths or audit every URL.
- Can I scan any domain?
- You can check publicly registered domains you have permission to evaluate. We block internal networks, localhost, and platform abuse targets. Rate limits apply per visitor and per domain.
- How is this different from Learn Domains in the app?
- The app runs the same Technical Intelligence engine with saved history, workspace context, AI Operator interpretation, and one-click Growth Orders. Public tools deliver a snapshot; the product runs the operating loop.