DMARC Record Checker

Check DMARC DNS records for domains to verify email authentication policy.

What does DMARC Record Checker do?

DMARC Record Checker queries _dmarc.<domain> TXT records to retrieve and parse DMARC (Domain-based Message Authentication, Reporting and Conformance) policies. It extracts the enforcement level (none, quarantine, or reject), subdomain policy, reporting URIs for both aggregate and forensic reports, DKIM and SPF alignment settings, and the policy application percentage. The full tag breakdown is included for granular inspection.

Use it for email security auditing, deliverability optimization, compliance monitoring, or verifying DMARC setup across multiple domains. The structured output makes it straightforward to filter domains by policy strength, identify missing records, and feed results into compliance dashboards.

Use cases

• Email administrators verifying DMARC enforcement policies are correctly configured across all company domains
• Deliverability specialists ensuring DMARC records support proper email authentication for marketing campaigns
• Security teams auditing DMARC policies as part of phishing prevention and email spoofing protection
• Compliance officers checking that all organizational domains meet required DMARC policy standards (e.g., p=reject)
• MSP/IT consultants reviewing DMARC configuration across multiple client domains in a single batch run

Why use DMARC Record Checker?

• Deep DMARC parsing — extracts policy, subdomain policy, alignment, percentage, and all reporting URIs
• Tag-level breakdown — returns individual DMARC tags for granular inspection
• Aggregate and forensic URIs — separately lists rua (aggregate) and ruf (forensic) report destinations
• Batch processing — check hundreds of domains in a single run
• Structured output — parsed fields ready for filtering, dashboards, or downstream automation
• Pay-per-event pricing — costs scale with actual usage, just $0.001 per domain checked

Input parameters

Parameter	Type	Required	Default	Description
domains	string[]	Yes	—	List of domains to check for DMARC records. Enter bare domain names (e.g., google.com).

Example input

{
    "domains": ["google.com", "github.com", "example.com"]
}

Output example

Each domain produces one result object with the DMARC record presence, parsed policy fields, reporting URIs, alignment settings, and the raw tag breakdown.

Field	Description
domain	The queried domain name
hasDmarc	Whether a DMARC record was found
rawRecord	Full raw DMARC record text
policy	Main DMARC policy (none, quarantine, reject)
subdomainPolicy	Subdomain-specific policy override (sp tag)
percentage	Percentage of messages the policy applies to (pct tag)
reportUriAggregate	Aggregate report destinations (rua tag)
reportUriForensic	Forensic report destinations (ruf tag)
alignmentDkim	DKIM alignment mode (strict or relaxed)
alignmentSpf	SPF alignment mode (strict or relaxed)
tags	Array of individual DMARC tags with values
error	Error message if check failed

{
    "domain": "google.com",
    "hasDmarc": true,
    "rawRecord": "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com",
    "policy": "reject",
    "subdomainPolicy": null,
    "percentage": null,
    "reportUriAggregate": ["mailto:mailauth-reports@google.com"],
    "reportUriForensic": [],
    "alignmentDkim": null,
    "alignmentSpf": null,
    "tags": [
        { "tag": "v", "value": "DMARC1" },
        { "tag": "p", "value": "reject" },
        { "tag": "rua", "value": "mailto:mailauth-reports@google.com" }
    ],
    "error": null
}

How much does it cost?

DMARC Record Checker uses Apify's pay-per-event pricing:

Event	Price	Description
Start	$0.035	One-time per run
Domain checked	$0.001	Per domain checked

Examples:

• 10 domains: $0.035 + 10 x $0.001 = $0.045
• 100 domains: $0.035 + 100 x $0.001 = $0.135
• 1,000 domains: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

The Apify API lets you control DMARC Record Checker programmatically. Schedule runs, read datasets, manage webhooks, and more. See the Apify API reference for details.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: '<YOUR_API_TOKEN>' });
const run = await client.actor('automation-lab/dmarc-record-checker').call({
    domains: ['google.com', 'github.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('<YOUR_API_TOKEN>')
run = client.actor('automation-lab/dmarc-record-checker').call(run_input={
    'domains': ['google.com', 'github.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect DMARC Record Checker with other apps and services using Apify integrations. You can integrate with Make, Zapier, Slack, Google Sheets, Google Drive, n8n, and many more. Set up a webhook to receive a Slack alert whenever a domain is missing a DMARC record or using a weak policy, or push results to Google Sheets to build a DMARC compliance dashboard.

Tips and best practices

• Aim for p=reject — the strongest DMARC policy is reject, which tells receiving servers to block unauthenticated messages; quarantine and none offer progressively less protection
• Check subdomain policy separately — the sp tag can override the main policy for subdomains; make sure it is also set appropriately
• Verify reporting URIs — ensure your rua and ruf addresses are correct and that you are actually receiving and reviewing the reports
• Monitor after changes — schedule runs after updating DMARC records to confirm the new policy propagated correctly
• Combine with SPF Record Checker — DMARC depends on SPF and DKIM alignment; check SPF records alongside DMARC for a complete email authentication audit

FAQ

What is the difference between DMARC policies none, quarantine, and reject? none means no action is taken on failing messages (monitoring only). quarantine moves failing messages to spam. reject tells receiving servers to block failing messages entirely. For maximum protection, use reject.

What does it mean when hasDmarc is false? It means no DMARC TXT record was found at _dmarc.<domain>. This leaves the domain vulnerable to email spoofing. Adding a DMARC record is strongly recommended.

Can I check DMARC for subdomains directly? Yes. If you enter sub.example.com, the actor will query _dmarc.sub.example.com. However, note that subdomains without their own DMARC record inherit the parent domain's subdomain policy (sp tag).

What is the percentage (pct) tag used for? The pct tag specifies what percentage of messages should be subject to the DMARC policy. For example, pct=50 means only half of failing messages will be quarantined or rejected. This is useful for gradually rolling out a stricter policy. When percentage is null in the output, it means the tag was not set (defaulting to 100%).