~/tools / dns-explainer

DNS Record Explainer

Paste any DNS record and get a plain-English breakdown - every tag explained, risky settings flagged, related tools suggested. No domain needed.

paste_record
// detects SPF / DKIM / DMARC / BIMI / CAA / MX / MTA-STS / TLS-RPT / generic TXT. Paste the record value - no quotes needed.
[ OK ] Detected: DMARC
input
v=DMARC1; p=none; rua=mailto:[email protected]
[ explanation · ai ]
[ breakdown ]

v=DMARC1
Version tag. Must be first. Says this is DMARC protocol v1. Non-negotiable.

p=none
Policy directive. Tells receivers what to do with mail that fails DMARC checks. "none" = monitor only, don't reject or quarantine. Receiver still sends reports but passes the message. Common starting point before moving to p=quarantine or p=reject once you trust your sender infrastructure.

rua=mailto:[email protected]
Reporting URI for aggregate reports. Receivers send you daily XML summaries of pass/fail stats to this address. Helps you see who's sending mail claiming to be from your domain, whether SPF/DKIM aligned, etc. Essential for diagnosing issues. Address must be reachable and ideally monitored.
[ flags ]

Missing rfc5322from alignment mode. Default is relaxed (rua=mailto:[email protected] gets reports either way), but you should add "adkim=r; aspf=r" explicitly if relaxed is intentional, or "adkim=s; aspf=s" for strict alignment. Ambiguity here.

No forensics reports configured (rf tag). You're only getting aggregate data, not sample failures. Useful early on to debug, but adds mail volume. Consider adding "ruf=mailto:[email protected]" if you need per-failure visibility.

No subdomain policy (sp tag). Subdomains inherit p=none. If you tighten the root later, subdomains stay weak unless you set sp= explicitly.

p=none indefinitely is a red flag operationally. You should have a timeline to move toward p=quarantine once SPF/DKIM coverage looks solid (typically 5–10% failure rate is acceptable before stricter policy).
[ context ]

DMARC lives in DNS as a TXT record at _dmarc.yourdomain.com. This record kicks in after SPF and DKIM validation by the receiving mail server. Without it, there's no standardized way for receivers to know your domain authentication posture or what to do with failures. Spoofing your domain becomes easier for attackers. The rua address is where you learn whether your own services are passing checks—critical for catching misconfigurations in marketing platforms, app mailers, etc.
[ related ]
→ /tools/dmarc-checker run the live checker on a real domain → /blog/dmarc-policies-explained
// AI explainer uses Claude Haiku 4.5. Same record pasted twice = served from 7-day cache. Never leaves our servers - no analytics/telemetry on paste content.