Free Tool — No Signup Required

DMARC Analyzer

by TheBRHub

Your domain is either protected
or it's being spoofed right now.

Check your DMARC, SPF, and DKIM records in under 2 seconds. Get an instant compliance grade, pinpoint exactly what's misconfigured, and know whether Google and Yahoo will accept or reject your emails.

4
Protocol Checks
<2s
Results Time
A-F
Compliance Grade
12,847
Domains Analyzed
DMARC Analyzer
Google Workspace detected
We'll use the 'google' DKIM selector
DKIM Selector (❓)
Analysis Pipeline
Results for -
0
-

Check multiple domains at once. Paste up to 50 domains, one per line.

Tip: Copy/paste a list from a spreadsheet
Checking 0 of 0...

Compare email authentication between two domains side by side.

VS
📁
Drop DMARC aggregate reports here
or click to browse • Up to 50 files, 10MB each
.xml .zip .gz
0 files uploaded
Domain
Email Volume Timeline
to
Total Volume
DMARC Pass
DMARC Fail
Authentication Results
Pass Rate by Protocol
Failure Breakdown
Volume by Provider
Top Senders
Source IP Messages DMARC SPF DKIM SPF Align DKIM Align

Monitored Domains

0/10

Get email alerts when DNS records change or compliance scores drop.

No domains monitored yet
Analyze a domain and click "Monitor" to add it to your watchlist.
Need to monitor more domains? Upgrade to Pro for 50 monitored domains with weekly email reports.
Contact Us →

DMARC Record Generator

Configure your DMARC policy below and copy the generated TXT record into your DNS.

One email address per line
New
v=DMARC1; p=none; adkim=r; aspf=r;
Pro tip: Start with p=none and enable aggregate reports. Monitor for 2–4 weeks to identify all legitimate senders before tightening to quarantine and eventually reject. Jumping straight to reject can block legitimate email from services you forgot about.
Analyzing DNS records...
Checking DMARC...
The Risk

76% of domains have misconfigured
email authentication

Without proper DMARC, anyone can send emails pretending to be you. Your customers, partners, and vendors have no way to verify the difference.

👻

Domain Spoofing

Attackers forge your domain in the "From" header. Without DMARC enforcement, receiving servers have no policy to reject these fakes — and your brand takes the hit.

📉

Inbox Rejection

Google and Yahoo now require DMARC for bulk senders. Missing or misconfigured records mean your legitimate emails bounce or land in spam — silently.

🧩

Partial Setup

SPF without DKIM. DKIM without DMARC. A "p=none" policy that monitors but never enforces. Partial authentication gives you a false sense of security.

This tool shows you exactly where you stand — in seconds.

Enter your domain. Get a complete authentication breakdown: DMARC record parsing, SPF mechanism analysis, DKIM key validation, MX record discovery, and a weighted compliance score that tells you whether you're protected or exposed.

What You Get

Four protocols analyzed. One clear verdict.

Every check runs a real DNS lookup — no cached data, no stale results.

DMARC record parsing that actually explains things

Most DMARC checkers dump raw DNS records and call it a day. Ours breaks every tag apart, explains what it does, and tells you whether the configuration is helping or hurting your deliverability.

  • Full tag-by-tag breakdown: p, sp, rua, ruf, adkim, aspf, pct
  • Policy strength assessment (none → quarantine → reject)
  • Aggregate report (rua) destination validation
  • Subdomain policy inheritance analysis
  • Instant DMARC record generator for fixing issues
🔐
DMARC Record — acmecorp.com
v=DMARC1 ✓ Valid
p=reject ✓ Enforced
rua=mailto:[email protected] ✓ Reports Active
adkim=s ✓ Strict Alignment
aspf=s ✓ Strict Alignment
pct=100 ✓ Full Coverage
This domain has full DMARC enforcement — spoofed emails will be rejected.

SPF validation — including the lookup limit most people miss

SPF has a hard limit of 10 DNS lookups. Exceed it and your entire SPF record silently fails, even if the syntax is perfect. We count every include, a, mx, and redirect to flag this before it becomes a deliverability disaster.

  • Mechanism-by-mechanism breakdown (include, a, mx, ip4, ip6)
  • DNS lookup counter with warning at 10+ lookups
  • All-mechanism policy check (hardfail vs softfail vs neutral)
  • Nested include resolution and flattening
  • ESP auto-detection (Google, Microsoft, Zoho, ProtonMail)
SPF Record — outreach.dev
v=spf1 ✓ Valid
include:_spf.google.com ✓ Google Workspace
include:sendgrid.net ✓ SendGrid
include:mailchimp.com ✓ Mailchimp
~all ⚠ Softfail (not enforced)
7/10 DNS lookups used. Switch ~all to -all for stricter enforcement.

DKIM key lookup with auto-detection

DKIM selectors are the #1 source of confusion in email authentication. We auto-detect your ESP and try common selectors (google, selector1, selector2, k1, default) — so you don't need to dig through DNS records yourself.

  • ESP auto-detection from MX records
  • Common selector brute-force (6 selectors tested)
  • Key type and bit length validation
  • Custom selector input for non-standard setups
  • Multi-selector support for multiple ESPs
🔑
DKIM Selectors — globalsend.io
selector1._domainkey ✓ 2048-bit RSA
selector2._domainkey ✓ 2048-bit RSA
google._domainkey ✗ Not Found
k1._domainkey ✗ Not Found
ℹ️ Microsoft 365 detected — selector1/selector2 are the correct DKIM selectors.

MX records reveal more than you think

Your MX records tell us which email provider you're using, and that changes everything — from expected DKIM selectors to sending rate limits. We cross-reference MX data with SPF and DKIM to catch mismatches between your DNS and your actual mail infrastructure.

  • Full MX record listing with priority values
  • ESP identification (Google, Microsoft, Zoho, etc.)
  • Cross-reference with SPF includes for consistency
  • Missing MX detection (common with parked domains)
  • ESP-specific rate limit awareness
📮
MX Records — acmecorp.com
Priority 1 aspmx.l.google.com
Priority 5 alt1.aspmx.l.google.com
Priority 5 alt2.aspmx.l.google.com
Priority 10 alt3.aspmx.l.google.com
Google Workspace detected — SPF includes _spf.google.com ✓ | DKIM selector: google ✓
Power Features

Built for agencies and teams, not just one domain

Analyze, compare, and monitor at scale — all from the same interface.

Bulk Analysis

Paste up to 50 domains and get a compliance report for each one in a single batch. Export as CSV for client reporting or internal audits.

50 Domains CSV Export Batch Processing
⚖️

Side-by-Side Compare

Enter two domains and see a detailed head-to-head comparison. Which one has stricter DMARC? Better SPF? Stronger DKIM? See the diff instantly.

Head-to-Head Visual Diff Winner Summary
📁

DMARC Report Upload

Drop your XML aggregate reports (the ones Google and Yahoo send you) and get a visual breakdown of pass rates, failing sources, and sender IP analysis.

XML Parsing Source Analysis Visual Charts

Domain Monitoring

Add domains to your watchlist and check their status on demand. Track changes over time and catch misconfigurations before they impact deliverability.

Watchlist Change Detection Quick Re-Check

Record Generator

Don't just find the problem — fix it. After analysis, our built-in generator creates a properly formatted DMARC record you can copy straight into your DNS.

Auto-Generate Copy to DNS Policy Advisor

PDF Export

Generate a professional PDF report of your analysis — complete with scores, records, and recommendations. Perfect for sharing with clients or leadership.

Branded Report Client-Ready One-Click
🧰 TheBRHub Ecosystem

DMARC is one piece of the puzzle

Deliverability depends on authentication, reputation, and infrastructure. These free tools cover the rest.

Blacklist Intelligence

Check if your IP or domain is listed on 90+ real-time blacklists. Get severity scoring and guided delisting instructions.

Check Blacklists →
🔬

Email Header Analyzer

Paste any email header and trace the full delivery path — authentication chain, routing hops, delays, and spam scoring.

Analyze Headers →
📮

Domain Diagnostics

Full DNS record retrieval — MX, A, AAAA, CNAME, TXT, NS — with ESP identification and priority mapping.

Lookup DNS →

Spam Score Tester

Score your email content against common spam triggers. Find what's dragging your messages into junk before you hit send.

Test Score →
📨

Bounce Analyzer

Parse bounce-back messages to identify whether it's a hard bounce, soft bounce, policy rejection, or server misconfiguration.

Analyze Bounces →

DeliverCORE

All of these tools — plus continuous monitoring, client management, and warmup orchestration — unified in one platform.

Learn More →
FAQ

Common questions

It performs four real-time DNS lookups: DMARC record (TXT at _dmarc.yourdomain.com), SPF record (TXT at yourdomain.com), DKIM public key (TXT at selector._domainkey.yourdomain.com), and MX records. Each is parsed, validated, and scored against best-practice thresholds to produce a weighted compliance grade.
Since February 2024, Google and Yahoo require bulk senders (5,000+ emails/day) to have a valid DMARC record. Without one, emails may be silently rejected or routed to spam. Even if you're under the 5,000 threshold, having DMARC dramatically improves inbox placement across all providers.
p=none monitors only — receiving servers log failures but take no action. p=quarantine sends failing emails to spam. p=reject blocks them entirely. Most security experts recommend starting with none (to collect data), then escalating to quarantine, and finally reject once you've verified all legitimate senders are authenticated.
The score is a weighted composite: DMARC presence and policy strength (35%), SPF validity and enforcement (30%), DKIM key presence and strength (25%), and MX record configuration (10%). Additional penalties apply for common misconfigurations like exceeding the SPF 10-lookup limit or using p=none without aggregate reporting.
Yes. Single domain analysis, side-by-side comparison, DMARC report upload, and PDF export are all free with no signup. Bulk analysis supports up to 10 domains free. If you need continuous monitoring, higher bulk limits, or API access, check out DeliverCORE — our unified deliverability platform.
Start with the biggest gap. No DMARC record? Use the built-in generator to create one with p=none and add it to your DNS. No SPF? Add a TXT record that includes your email provider. No DKIM? Enable it in your ESP's admin panel (Google Workspace, Microsoft 365, etc.). Once all three are in place, work toward stricter policies. Need hands-on help? Book a free consultation with our deliverability team.

Don't guess. Know.

Run a free analysis right now, or talk to our deliverability team about fixing what's broken.

Book a Consultation
Link copied!