Inspect and grade your DMARC policy
DNS & Records
DNS Lookup Every DNS record for any domain A Record Lookup IPv4 addresses for a domain AAAA Record Lookup IPv6 addresses for a domain MX Lookup Mail servers for a domain NS Lookup Authoritative name servers TXT Lookup TXT records, SPF, verification CNAME Lookup Canonical name (alias) records SOA Lookup Start of Authority record SRV Lookup Service location records CAA Lookup Which CAs may issue certificates Reverse DNS (PTR) IP address to hostname DNSSEC Check Is the domain signed and validated? DNS Health Check A full delegation & DNS report cardEmail Deliverability
SPF Check Validate your Sender Policy Framework record DMARC Check Inspect and grade your DMARC policy DKIM Check Find and validate your DKIM public key Blacklist Check Check an IP against email blocklists (DNSBLs) SMTP Test Connect to a mail server and check STARTTLS MTA-STS Check Enforced TLS policy for inbound mail BIMI Check Brand logo record for email TLS-RPT Check SMTP TLS reporting policyNetwork & Web
SSL Certificate Check Inspect a site's TLS certificate and expiry HTTP Header Check Inspect response headers, redirects and security Ping (TCP) Reachability and latency over TCP Port Check Which common ports are openDomain
WHOIS Lookup Registration data for domains, IPs and ASNsDMARC builds on SPF and DKIM to tell receivers what to do with mail that fails authentication, and where to send reports. A policy of 'p=none' only monitors; 'quarantine' and 'reject' actually protect your domain from spoofing. IPeek reads the record at _dmarc.your-domain, parses every tag and grades the policy strength.
DMARC is a TXT record at _dmarc.your-domain starting with v=DMARC1. It passes when a message passes SPF or DKIM and that authenticated domain aligns with the visible From domain. Alignment is the key: spoofers can pass raw SPF or DKIM on their own domain, but they can't align it with yours. A record like v=DMARC1; p=reject; rua=mailto:reports@your-domain; adkim=s; aspf=s enforces rejection and demands strict alignment for both DKIM and SPF.
The p tag sets your policy. p=none monitors only — mail still flows, but you collect reports to see who sends as you. p=quarantine routes failing mail to spam, and p=reject blocks it outright, the strongest protection against spoofing. The pct tag can ramp enforcement gradually (for example pct=25), and sp sets a separate policy for subdomains. Start at none to gather data, then tighten to quarantine and reject once your legitimate senders pass. IPeek grades how strong your current policy is.
DMARC's reporting is what makes it actionable. The rua tag names a mailbox that receives daily aggregate XML reports summarizing which sources sent mail as your domain and whether they passed SPF, DKIM, and alignment. Use these reports to find legitimate senders you forgot to authorize before tightening your policy. The optional ruf tag requests forensic (per-failure) reports, though most receivers no longer send them for privacy reasons. Without rua, you're enforcing policy blind.
p=none is a monitor-only policy. It tells receivers to take no special action on mail that fails DMARC, so messages are delivered normally, but you still receive aggregate reports showing who is sending email as your domain. Use p=none to gather data and identify legitimate senders, then move to quarantine or reject for real spoofing protection.
Both enforce your policy, but differently. p=quarantine tells receivers to deliver failing mail to the spam or junk folder, while p=reject tells them to block it entirely so it never reaches the recipient. Reject is the strongest protection against spoofing. Quarantine is a common intermediate step before committing to full rejection.
Alignment requires the domain authenticated by SPF or DKIM to match the domain in the visible From header. DMARC passes only when at least one of them aligns. Relaxed alignment (the default) allows subdomains to match the organizational domain; strict alignment (adkim=s, aspf=s) requires an exact match. Alignment is what stops attackers from passing authentication on their own domain.
A DMARC record is a TXT record published at the _dmarc subdomain of your domain — for example, _dmarc.example.com. It must begin with v=DMARC1 and is published once per organizational domain. Receivers query this exact location to find your policy. IPeek reads the record at _dmarc.your-domain automatically and parses every tag it contains.
No. DMARC passes if either SPF or DKIM passes and aligns with your From domain, so you don't strictly need both. However, configuring both is strongly recommended: it adds redundancy, and DKIM survives email forwarding while SPF often breaks on it. Having both authentication methods aligned gives you the most reliable DMARC results.