Free checker Platform in private beta

Move to DMARC reject without breaking product emails.

Run a free DMARC, SPF and MX check below. The full readiness platform - sender inventory, alignment detection, and a clear go/no-go for enforcement - launches soon.

Runs in your browser
No signup, no cookies
Live DNS via Google DoH

Why DNS checks aren't enough

A valid DMARC record does not mean reject is safe

DNS lookups confirm what you published. Report data tells you what's actually leaving your domain - and that is the only thing that tells you when enforcement is safe.

What DNS can tell you

Whether a DMARC record exists
What policy is published (none, quarantine, reject)
Whether SPF and DKIM are configured at all

Useful, but it does not tell you whether moving to p=reject will silently drop legitimate mail.

What DMARCscope adds

What DMARC reports tell you

Which services actually send mail in your name
Which of those pass SPF and DKIM alignment
Which unauthorized senders are spoofing you
Whether reject would silently break a real sender

That is the difference between guessing and knowing. DMARCscope turns aggregate reports into a clear go/no-go for enforcement.

Coming soon · platform preview

What you'll see once we're parsing your DMARC reports

DNS only tells you what you published. The platform reads your aggregate reports and turns them into a live sender inventory with a clear verdict. Currently in build.

Preview - not yet shipping

app.dmarcscope.com / domains / acme.com

Domain

acme.com

Not ready to enforce

Last 7 days Updated 2h ago

Reports: 1,238
Senders: 4
Aligned: 89%

Sender	Volume	SPF	DKIM	Aligned
Google Workspace google.com	842	pass	pass	✓
Postmark postmarkapp.com	254	pass	pass	✓
HubSpot hubspot.com	98	pass	pass	✗
Unknown sender 15.235.42.18	44	fail	fail	✗

Verdict: stay on p=none for 7 more days

HubSpot mail is failing DKIM alignment, and an unknown sender from 15.235.42.18 is sending in your name. Fix these before moving to quarantine.

Run the free checker today

On the roadmap

What's inside the readiness platform

Built around one job: tell you when reject is safe. These are the features shipping with the private beta - currently in build.

Sender inventory

A live list of every service sending email from your domain - Google Workspace, Postmark, HubSpot, plus the ones you forgot about.

SPF/DKIM alignment detection

Surfaces senders that pass SPF or DKIM but fail alignment. These are the ones that quietly break when you enforce.

Unknown sender alerts

Get notified the moment a new IP or service starts sending in your name, before it shows up in a phishing report.

Quarantine/reject readiness

A clear verdict for each domain: not ready, ready for quarantine, or ready for reject. With the reasons spelled out.

Weekly email digest

One email per week with what changed, what's still blocking enforcement, and what to fix next.

Plain-English recommendations

No DMARC jargon. Each finding includes a specific next step, not just a status code.

FAQ

Common questions

Is the free checker actually free? Do you track me?

Yes, free. The DNS check runs in your browser via DNS over HTTPS - your domain goes straight to Google's public resolver, never to us. No signup, no account, no cookies. We use privacy-friendly anonymous analytics (Umami) to count pageviews and aggregate verdict categories so we know which DMARC states people see most often. We never log the domain you check.

Why can't I just check my DMARC record once and move to reject?

Because a published DMARC record only tells you what policy you set. It does not tell you which services are sending in your name, or whether they pass DKIM and SPF alignment. Move to reject without that data and legitimate transactional or marketing email can disappear silently. That visibility is what the upcoming platform adds on top of the DNS check.

When will the full readiness platform launch?

Private beta opens later this year. We'll announce it on this site once it's ready.

How long until I have enough DMARC report data to enforce safely?

Most teams need 7-14 days of aggregate report data on a low-volume domain, longer on a high-volume one. The platform tracks this for you and tells you the moment you have enough authenticated, aligned traffic to step up your policy.

Will using the platform require DNS changes?

Yes - one DNS edit. You'll add our private rua reporting address to your DMARC record so mailbox providers send aggregate reports to us. We never touch your SPF, DKIM, or MX records.

Who is this built for?

Small SaaS teams, founders, and technical operators. The pricing, feature set, and copy are intentionally narrow. If you need MSP-grade multi-tenant features, this isn't it.

Run the check

Stop guessing whether reject is safe.

See your DMARC, SPF and MX status in seconds. Get a clear next step before changing your enforcement policy.

Run the free checker