EmailAudit.io

DMARC Scorer

Analyse your DMARC policy enforcement level, alignment settings, and reporting configuration.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties together SPF and DKIM by specifying a policy for what to do with emails that fail those checks. It also provides reporting so you can monitor authentication failures.

Policy Levels

  • p=none — monitor only, no enforcement
  • p=quarantine — failing mail goes to spam
  • p=reject — failing mail is blocked entirely

Frequently Asked Questions

What is DMARC and how does it protect my domain?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS policy that tells receiving mail servers what to do with emails that fail SPF or DKIM checks. It also sends aggregate reports showing authentication results across all mail sent from your domain. Without DMARC, anyone can spoof your domain in phishing attacks. Setting DMARC to p=reject blocks unauthenticated email entirely.

What is the difference between p=none, p=quarantine, and p=reject?

p=none is monitoring-only mode — failed emails are delivered as normal, but DMARC reports are sent. p=quarantine sends failed emails to the spam or junk folder. p=reject is full enforcement — receiving servers should reject unauthenticated email entirely. The standard approach is to move from none to quarantine to reject gradually as you confirm all legitimate senders pass authentication.

How long does it take to safely move to DMARC p=reject?

Most domains can move from p=none to p=reject in 4–8 weeks by: setting p=none with reporting URIs, reviewing aggregate reports for 2–4 weeks, identifying and fixing any failing senders, stepping to p=quarantine, then finally p=reject. Domains with many third-party senders — CRMs, marketing platforms, helpdesk tools — may take longer to audit all sending sources.

What is DMARC alignment?

DMARC alignment checks that the domain in SPF or DKIM matches the From: header domain that recipients see. Two modes exist: relaxed alignment (subdomains are allowed to match) and strict alignment (exact domain match required). If alignment fails, the email fails DMARC even if SPF and DKIM individually pass. Most domains should use relaxed alignment.

Does DMARC stop all phishing and spoofing attacks?

DMARC at p=reject prevents spoofing of your exact domain — for example, emails appearing to come from yourcompany.com. It does not stop lookalike domain attacks (typosquatting domains like yourcompany-inc.com) or display name spoofing where a different email address is hidden behind a familiar name. DMARC enforcement is the essential first layer of protection against direct domain impersonation.