What is DNS propagation?

DNS propagation is the time it takes for a DNS record change to be visible to resolvers worldwide. Each resolver caches records for the duration of the record's TTL (time to live). Until that cache expires, the resolver returns the old answer: which is why a new record can be live at one resolver and stale at another for minutes to days.

How long does DNS propagation take?

Most propagation completes within minutes to a few hours. The upper bound is the record's TTL: commonly 300 seconds (5 minutes) to 86400 seconds (24 hours). Some ISP resolvers ignore short TTLs and cache for longer, which is why a small number of resolvers can lag for a day or more.

Why do different DNS resolvers show different results?

Each resolver caches independently. When you change a DNS record, resolvers that already had the old record cached will keep serving it until their TTL expires, while resolvers that had no cached entry fetch the new record immediately. Geo-aware DNS (GeoDNS) can also legitimately return different answers to resolvers in different regions.

What is a TTL in DNS?

TTL (time to live) is the number of seconds a resolver is allowed to cache a DNS record before re-fetching it from the authoritative server. Lower TTLs mean faster propagation but more queries; higher TTLs mean slower propagation but better performance and lower load.

How does WhereIsDNS check propagation?

WhereIsDNS sends DNS-over-HTTPS (DoH) queries to 14 public resolvers in parallel: Cloudflare, Google, Quad9, OpenDNS, AdGuard, NextDNS, Yandex, AliDNS, DNSPod, CleanBrowsing, Mullvad, ControlD, Hurricane Electric, and DNS4EU. Results stream in as each resolver responds. The consensus row tells you how many resolvers agree.

Yes, completely free with no signup. The site is supported by unobtrusive Google AdSense ads.

DMARC Check

Check the DMARC policy for any domain. We query _dmarc. automatically across 14 public DNS resolvers.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer on top of SPF and DKIM. It tells receiving mail servers what to do when an incoming message fails authentication: accept, quarantine, or reject: and where to send aggregate reports.

DMARC lives at _dmarc.<your domain> as a TXT record. Just type your bare domain above: we'll add the _dmarc. prefix automatically.

Anatomy of a DMARC record

A typical DMARC record looks like: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100. The key tags:

v=DMARC1: version marker (always this).
p=: policy: none (monitor), quarantine (send to spam), or reject (block).
rua=: where to send aggregate (daily) reports.
ruf=: where to send forensic (per-failure) reports.
pct=: what percentage of failing mail to apply the policy to (0–100).
sp=: policy for subdomains (defaults to p if unset).
adkim=, aspf=: alignment strictness (r=relaxed, s=strict).

Common errors and pitfalls

No DMARC record at all: domain has no protection against spoofing. Start with p=none to collect data, then ratchet up.
Policy stuck at p=none forever: common. Monitor mode is for collecting data, not for permanent deployment. Move to quarantine then reject once you've audited your senders.
DMARC at the wrong name: must be at _dmarc.example.com, not example.com itself. WhereIsDNS handles the prefix for you.
Missing rua: without it, you get no visibility into who's sending mail "as you." Strongly recommended.
Multiple DMARC records: only the first is honored, and some receivers reject the domain entirely. Always exactly one.

FAQ

What policy level should I start with?

p=none with rua reporting. Run that for 2–4 weeks, audit the reports to identify legitimate senders, fix SPF/DKIM gaps, then graduate to quarantine, then reject.

Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM are mechanisms; DMARC is the policy and reporting layer. As of 2024, Google and Yahoo require DMARC on any domain sending bulk mail to their users.

Why is my DMARC failing despite SPF passing?

"Alignment." DMARC requires that the domain SPF validated aligns with the visible From: domain. A forwarder or ESP can pass SPF on its own envelope-from while the From header is yours: that fails DMARC unless DKIM also passes and aligns.

Background reading

See the DMARC glossary entry, plus SPF and DKIM for context. The DNS Records Explained guide ties it all together.

All record-type lookups

WhereIsDNS has dedicated pages for each common DNS record type. Each one defaults the tool to that record type and includes background on what the record means and what to look for.

A Record Lookup: IPv4 addresses for a hostname
AAAA Record Lookup: IPv6 addresses for a hostname
CNAME Lookup: Aliases pointing one hostname to another
MX Record Lookup: Mail servers for a domain (with priorities)
NS Record Lookup: Authoritative nameservers for a domain
TXT Record Lookup: SPF, DKIM, DMARC, and other text records
SOA Record Lookup: Authority metadata for a DNS zone
CAA Record Lookup: Which CAs may issue certs for the domain
SRV Record Lookup: Service location records (SIP, XMPP, _autodiscover, etc.)
DNSKEY Record Lookup: DNSSEC public keys for a zone
DS Record Lookup: DNSSEC delegation signer at the parent zone
HTTPS Record Lookup: Modern HTTPS service binding (ALPN, ECH, etc.)
SVCB Record Lookup: Generic service binding (RFC 9460)
PTR (Reverse DNS) Lookup: Reverse DNS: IP back to a hostname
SPF Check: SPF (v=spf1) record on the domain apex
DKIM Check: DKIM public key at <selector>._domainkey.<domain>
Home (defaults to A records)