The DMARC record is one TXT entry in DNS, but it controls more of your domain’s reputation than almost any other line of configuration. Get it wrong — wrong policy, missing reporting address, no subdomain handling, percentage stuck at zero — and the failure mode is silent. Mail keeps flowing, but receivers stop trusting you, and you only find out a quarter later when the bounce rate spikes. The PortJar DMARC Lookup & Parser pulls the record, parses every tag, and calls out the misconfigurations that the spec doesn’t actually require you to fix.
What the tool does
It queries _dmarc.<your-domain> over DNS, extracts the TXT record, and parses each tag (v, p, sp, pct, rua, ruf, adkim, aspf, fo, ri) into a human-readable explanation. It then flags weak configurations: a policy of p=none after the observation window should have ended, a missing rua (aggregate reporting) address, a pct value below 100 that’s been there longer than intended, an sp that’s inconsistent with the parent policy. It also confirms that the record is syntactically valid — DMARC is fussy, and a record with an extra semicolon or a malformed tag is treated by receivers as no record at all.
How to use it
Open portjar.com/tools/dmarc-lookup, enter the domain (not the _dmarc subdomain — the tool prepends it), and submit. The output is the raw TXT record plus a parsed table. Run it against the public-facing domain, but also against any subdomains used for outbound mail — billing, support, transactional — because each can have its own DMARC record that overrides the parent.
When you’d reach for it
- Before adding a new mail sender. When marketing wants to add Mailchimp, transactional wants to add Postmark, or sales wants to add a CRM that sends “from” your domain, DMARC’s current state determines what authentication paperwork they need to complete first. The PortJar troubleshooting guide on SPF PermError covers the related 10-DNS-lookup limit that often surfaces during this expansion.
- After moving DNS providers. TXT records are notorious for not migrating cleanly — quotes get mangled, long records get truncated, the
;separators get stripped. A DMARC parse against the new DNS confirms the record made the trip intact. - When deliverability drops without explanation. A receiver that was accepting your mail starts spam-foldering it. The first check is whether your DMARC policy is enforcing (
p=quarantineorp=reject), whether your aligned sending is actually aligned, and whether you have anruaaddress that’s collecting the aggregate reports you’d need to diagnose further. PortJar links a reference guide on whatp=quarantineactually means for senders during this rollout. - Walking a client from
p=noneto enforcement. The PortJar guide on DKIM check failures pairs naturally with this — once DMARC starts enforcing, every misaligned DKIM signature becomes a delivery problem rather than a cosmetic one. - Auditing a domain on takeover. A DMARC parse is the first DNS check on any client we onboard with a cPanel or hosted-mail environment. It tells us in fifteen seconds whether the prior operator did the work or punted.
What to make of the output
A p=none policy is not protection — it’s observation. It’s a valid step on the way to enforcement, but a domain that’s been at p=none for a year is a domain whose owner intended to roll out DMARC and never finished. A missing rua address means you’re flying blind; even at p=none, the aggregate reports are how you find every misaligned sender. A pct of less than 100 should be a temporary state, not a permanent one. An sp tag that doesn’t match p means subdomains follow a different (often weaker) rule than the parent — which can be intentional but more often is an oversight. When the parser flags rua=mailto: pointing to an address you don’t recognise, treat that as a finding — somewhere along the way, someone pointed your DMARC reports at a third-party processor and that relationship may no longer be active.
For environments where mail authentication and DMARC posture need to stay correct across dozens of domains, Stack Harbor manages this as part of cPanel/WHM management.