Security
SecurityMedium

DMARC Record

Checks DNS for a DMARC record — tells receivers what to do with spoofed mail.

What this check measures

We query the `_dmarc.domain.com` TXT record. DMARC policy should be at least `p=none` (monitoring) and ideally `p=quarantine` or `p=reject`. Also check for `rua=` reporting email.

Why it matters

DMARC combined with SPF and DKIM is the modern email-authentication standard. Without DMARC, even properly authenticated email may still be spoofed. Google/Yahoo started enforcing DMARC for bulk senders in 2024.

search

How our audit detects it

DNS TXT lookup on _dmarc.<domain>. Parse v=DMARC1, p=, rua= values.

Typical findings

  • error_outlineNo DMARC record.
  • error_outlinep=none with no reporting rua — useless.
  • error_outlineWeak policy (p=none) years after deployment — never progressed to enforcement.

How to fix

Start with `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` to monitor. After 2 weeks of clean reports, move to `p=quarantine`, then `p=reject`.

Frequently asked questions

How long until I can enforce?expand_more
Typically 2-4 weeks of p=none with reporting, review reports, fix legitimate senders, then escalate.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward