Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Paste any domain. Scorifya resolves the _dmarc TXT record, parses the policy and reporting tags, and shows where you sit on the DMARC rollout journey.
Free tool
A DMARC record at p=none is a monitoring step, not a defense. Spoofed mail from your domain still reaches inboxes until the policy is at p=quarantine or p=reject. The DMARC checker tells you which step you're on, what's in your record, and whether your reporting mailbox is configured to capture aggregate reports during the rollout.
Paste a domain (or any URL — Scorifya extracts the apex). The scan resolves your DMARC TXT record, parses the policy and tag values, and reports where you sit on the DMARC rollout journey: missing → p=none → p=quarantine → p=reject. DMARC sits inside the broader 0–100 hardening score alongside SPF, DKIM, and the rest of your public posture.
This page is written for people searching for DMARC checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — DMARC at p=none, no reporting
DMARC exists but only at p=none and without rua=. You can't see who's sending in your name, and spoofed mail still gets through.
DMARC policy at p=none
Add a rua= reporting mailbox, watch for 2–4 weeks, then progress to p=quarantine. See /learn/dmarc-spf-dkim.
SPF record present
SPF found and reachable. Confirm every legitimate sender (marketing tools, transactional services) appears in the mechanism list.
DKIM selector not detected
Most ESPs require a DKIM selector. Without one, DMARC alignment relies entirely on SPF.
Example B — DMARC at p=reject with reporting
DMARC enforces at p=reject and aggregate reports flow to a monitored mailbox. Mature email-auth posture.
Permissions-Policy missing
Browser-feature header is unrelated to DMARC but shows up in the broader scan output.
Publish DMARC at p=none with rua=
Even before enforcement, the reports tell you which IPs send mail in your name. That's the discovery step every organization needs.
Get to p=quarantine within 2-4 weeks
After aggregate reports stabilize, move to p=quarantine; pct=10. Slowly raise pct to 100 before flipping to p=reject.
Align SPF and DKIM with your visible From
DMARC requires alignment between the From: domain and either SPF or DKIM. Most failures are caused by misaligned third-party senders.
Add DKIM for every ESP you use
Each marketing/transactional vendor publishes DKIM setup steps. Get all of them aligned before you tighten DMARC.
Plan for BIMI once enforced
Once DMARC is at p=quarantine or higher, BIMI displays your logo in supporting inboxes — the visible reward for the work.
For weights and penalties behind each category, see How Scorifya works.
Your _dmarc.<domain> TXT record. The scan parses the v=DMARC1, p=, sp=, rua=, ruf=, pct=, and adkim/aspf alignment-mode tags.
p=none tells receivers 'send me reports but don't change delivery.' Spoofed mail using your From: domain still reaches inboxes. Only p=quarantine or p=reject actually blocks abuse.
Yes — the broader Scorifya scan validates SPF reachability and detects whether DKIM selectors are published. The DMARC tool focuses on DMARC; the full scan covers the trio.
Long enough to identify and align every legitimate sender — typically 2–4 weeks of aggregate reports. Mature organizations move past p=none in under a quarter.
Only if you skip the rollout. Going straight to p=reject without first identifying legitimate senders will block your own forgotten tools (a former marketing platform, a SaaS sending invoices). Always progress through p=quarantine first.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.