DNS Spy DNS Spy
Features Pricing API Free Tools Learn Blog Contact
Log in

DMARC Record

What This Check Does

The DMARC Record check verifies that a TXT record containing "v=DMARC1" exists at the _dmarc subdomain of your domain (e.g., _dmarc.example.com). DMARC is a critical email authentication protocol that builds on SPF and DKIM to prevent email spoofing and phishing attacks.

DNS Spy queries the _dmarc subdomain for TXT records and verifies that a valid DMARC record is present. If no DMARC record exists, this check fails.

Why It Matters

Without DMARC, your domain is defenseless against email spoofing. Attackers can send emails that appear to come from your domain, potentially tricking your customers, partners, and employees into revealing sensitive information or clicking malicious links. DMARC ties together SPF and DKIM authentication and provides a policy for how receiving mail servers should handle messages that fail these checks.

DMARC also provides invaluable reporting — aggregate reports show you who is sending email on behalf of your domain, helping you identify both legitimate services you may have forgotten to authorize and malicious actors attempting to spoof your domain.

NIST SP 800-81, Section 6, emphasizes the importance of email authentication mechanisms including DMARC. DNS Spy helps ensure your domain has this essential protection in place.

NIST SP 800-81 Compliance

Section 6 of the NIST Secure DNS Deployment Guide specifically addresses email security and the role of DNS-based authentication. Having a DMARC record is a foundational requirement for NIST compliance in email security. DNS Spy continuously verifies the presence of your DMARC record, alerting you immediately if it is removed or misconfigured.

Good vs. Bad Configuration

Bad Configuration

No TXT record exists at _dmarc.example.com. Your domain has no DMARC policy, leaving it completely open to email spoofing with no reporting or enforcement.

Good Configuration

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com" — A complete DMARC record with reject policy and both aggregate and forensic reporting enabled.

How DNS Spy Monitors This

DNS Spy queries the _dmarc subdomain during every monitoring cycle. If the DMARC record is missing or contains invalid syntax, an alert is sent immediately. DNS Spy also tracks changes to your DMARC record over time, so you can verify that updates are applied correctly and no accidental deletions occur.

DNS Spy

Features

Resources

Company