Skip to main content
CaptainDNS
NEW·Email security and deliverability monitoring. Get alerted the moment a score change or DNS record puts your domain at risk.Learn more

DMARC Validator

Validate DMARC syntax before publishing, fix errors in seconds

How do you fix DMARC syntax errors? Paste your DMARC record below and validate its syntax instantly. A DMARC syntax error means your policy is silently ignored by Gmail, Outlook and all receiving servers.

What we check

  • Syntax and RFC 7489 compliance
  • Policy (p, sp) and protection level
  • DKIM and SPF alignment
  • Coverage (pct) and reporting (rua, ruf)

Why validate DMARC syntax before publishing?

A malformed DMARC record is silently ignored by Gmail, Outlook, Yahoo and all receiving servers. No alert is raised. Your emails remain unprotected against spoofing and phishing.

The validator reads your record before DNS publication, checks each tag and verifies the report URIs. You fix errors immediately, without waiting 24 to 48 hours of propagation only to discover that a detail prevents the policy from being applied.

DMARC tags according to RFC 7489

The RFC 7489 defines every tag allowed in a DMARC record. The validator checks the name, position and value of each tag.

TagRoleExample
vProtocol version, always firstv=DMARC1
pPolicy applied to the apex domainp=quarantine
spPolicy applied to subdomainssp=reject
adkimDKIM alignment mode, r (relaxed) or s (strict)adkim=s
aspfSPF alignment mode, r or saspf=r
pctPercentage of messages subject to the policy, 1 to 100pct=50
ruaAggregate report destinations (mailto URI)rua=mailto:dmarc@captaindns.com
rufForensic report destinations (mailto URI)ruf=mailto:forensic@captaindns.com
foForensic report generation optionsfo=1

Tags v and p are mandatory. The other tags fall back to default values when omitted (adkim=r, aspf=r, pct=100).

Before-and-after correction examples

The validator flags every syntax error with its position. Here are three common cases seen on published records.

Malformed rua URI:

- v=DMARC1; p=reject; rua=reports@captaindns.com
+ v=DMARC1; p=reject; rua=mailto:reports@captaindns.com

The mailto: prefix is required by RFC 7489.

Invalid p policy:

- v=DMARC1; p=monitor; rua=mailto:dmarc@captaindns.com
+ v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com

Only none, quarantine and reject are accepted.

pct out of range:

- v=DMARC1; p=quarantine; pct=150; rua=mailto:dmarc@captaindns.com
+ v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@captaindns.com

The pct value must be an integer between 1 and 100.

Common validator diagnostics

The validator returns a short code for each anomaly detected. The codes below are the most frequent.

CodeCauseAction
missing_version_tagTag v=DMARC1 missingAdd v=DMARC1 as the first tag
unsupported_versionValue of v= other than DMARC1Replace with v=DMARC1
missing_policyTag p= missingAdd p=none, p=quarantine or p=reject
invalid_policyValue of p= outside none/quarantine/rejectCorrect the value
invalid_subdomain_policyValue of sp= invalidUse none, quarantine or reject
invalid_alignmentadkim= or aspf= value other than r/sSet to r or s
invalid_percentpct= outside 1-100 rangeUse an integer between 1 and 100
invalid_rua_uriMalformed rua URIUse mailto:address@domain
invalid_ruf_uriMalformed ruf URIUse mailto:address@domain
invalid_failure_optionUnknown fo= valueUse 0, 1, d or s
duplicate_tagTag declared twiceKeep a single occurrence
unknown_tagUnrecognised tag nameCheck spelling against RFC 7489
record_trailing_quoteTXT string ends with a quoteRemove the trailing quote

Warning-level codes (policy_none, pct_less_than_100, subdomain_policy_none) flag a valid but partial configuration: protection remains incomplete while the policy stays at none or pct is below 100.

FAQ - Frequently asked questions

What deployment progression should I follow for the p= policy?

Always start with p=none to observe traffic through aggregate (rua) reports. Once SPF and DKIM are aligned across all your legitimate sources, move to p=quarantine, then p=reject. Avoid jumping straight to p=reject: the observation-phase rua reports almost always reveal forgotten legitimate streams.

Should I configure ruf as well as rua?

Not at the start. Aggregate rua reports (daily) are essential for steering your rollout. Forensic ruf reports (per failing message) generate significant volume and may contain personal data. Enable them only if you have an analysis pipeline and a legal opinion on collecting this data.

Should I configure the sp= tag on subdomains?

By default, subdomains inherit the p policy. Configure sp= only if the subdomain policy must differ from the apex. Verify that SPF and DKIM are aligned on each sending subdomain before tightening sp=.

Does the validator apply DMARCbis rules?

This version applies RFC 7489 rules. To anticipate the DMARCbis transition (removal of pct, ri, rf, addition of np, psd, t), use the DMARCbis Checker or the DMARCbis migration tool.

Complementary tools

ToolPurpose
DMARC CheckerVerify publication and resolve the DMARC record from DNS
DMARC GeneratorCreate a spec-compliant DMARC record
SPF ValidatorValidate the SPF syntax for your domain
DKIM ValidatorValidate the syntax of a DKIM key
DMARCbis MigrationMigrate a DMARC record to the new standard
DMARC MonitoringReceive and analyze your aggregate DMARC reports automatically
Reference: RFC 7489 - Domain-based Message Authentication, Reporting and Conformance.