Home » No DMARC Record Found: How To Fix DMARC Errors?

No DMARC Record Found: How To Fix DMARC Errors?

DMARC

No DMARC Record Found: How To Fix DMARC Errors?

There are few reasons why you will encounter a DMARC error like No DMARC Record Found. One common reason is it has never been added in the DNS yet. DMARC record by default is not added in the DNS of your domain, which means you need to add it manually.

Some other reasons are due to wrong configuration

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard email authentication method. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain.

DMARC also lets you request reports from email servers that get messages from your organization or domain. These reports have information to help you identify possible authentication issues and malicious activity for messages sent from your domain.

Example DMARC record:

HostTypeTTLValue
_dmarc.mydomain.comTXT1 hourv=DMARC1; p=quarantine; rua=mailto:[email protected]

 

Here are some example DMARC errors and how fix those:

No DMARC Record Found or DMARC Record Published Failed

If you encounter an error No DMARC Record found, there are few possible reasons why it happens.

Possible issues

  • DMARC record was added very recently and hasn’t been detected yet by your service provider yet. You may need to wait up 48 hours to propagate.
  • The DMACR record might have been setup incorrectly.
    • Ex. the host _dmarc.mydomain.com should be mapped to the value but the @ or www was mapped instead.
  • Literally there’s no DMARC record in the DNS yet.

DMARC Records are published via DNS as a text(TXT) record. They will let receiving servers know what they should do with non-aligned email received from your domain.

Resolution

Create or modify the DMARC in the DNS of your domain. Here’s an example basic DMARC record to be added.

HostTypeTTLValue
_dmarc.mydomain.comTXT1 hourv=DMARC1; p=quarantine; rua=mailto:[email protected]

This record will directly send an incoming email to your spam folder if  it fails authentication and sends you a report to your preferred email.

Note: Depending on the domain registrar, the host can be _dmarc. or _dmarc.mydomain.com.

 

No DMARC Protection

This Warning indicates that the DMARC record for this domain is not currently protected against phishing and spoofing threats.

You may have a DMARC present in the DNS, but it’s possible that the policy(p) tag is set to none.

Example DMARC with no protection:

HostTypeTTLValue
_dmarc.mydomain.comTXT1 hourv=DMARC1; p=none; rua=mailto:[email protected]

Resolution

To resolve this Warning you will need to set a Quarantine or Reject policy on the domain’s DMARC record. Setting a Quarantine or Reject value will prevent fraudsters from spoofing the domain as mail servers will Quarantine or Reject messages that fail authentication tests.

Policy tags (p)

noneNo action is taken on messages that don’t pass the DMARC checks by the receiving server. Messages are delivered normally to the recipient.
quarantineMessages that aren’t authenticated with DMARC by the receiving server are sent to the recipient’s spam folder. If the receiving mail server has a quarantine configured, messages might be sent to quarantine, not directly to the recipient’s spam folder.
rejectMessages that aren’t authenticated with DMARC by the receiving server are rejected, and never delivered to the recipient. The receiving server usually sends a bounce message to the sender.

 

DMARC Syntax Invalid

The syntax within the DMARC record found is not valid. Invalid syntax in your DMARC record can impact email deliverability.

Example wrong syntax:

HostTypeTTLValue
_dmarc.mydomain.comTXT1 hourDMARC; p=none; mailto:[email protected]

On this example, the value is wrong because the both v= and rua= syntax are missing.

Resolution

Double-check the value of your DMARC and update it accordingly.

The correct syntax should be either “v=DMARC1; p=quarantine; rua=mailto:[email protected]” or “v=DMARC1; p=reject; rua=mailto:[email protected]”.

 

External Domains in your DMARC are not giving permission for your reports to be sent to them.

If you see this error, one of the “rua” or “ruf” email addresses in your report does not have a DNS TXT record verifying that they wish to receive DMARC reports for your domain.

If you want to send your DMARC reports to a domain other than the one that the record is for, then the receiving domain needs to configure a DNS record so that Email Service Providers know that the recipient is authorizing the the reports.

From RFC-7489

Verifying External Destinations

It is possible to specify destinations for the different reports that are outside the authority of the Domain Owner making the request.

This allows domains that do not operate mail servers to request reports and have them go someplace that is able to receive and process them.

Without checks, this would allow a bad actor to publish a DMARC policy record that requests that reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations; the victim will in turn be flooded with unwanted reports. Therefore, a verification mechanism is included.

For example: If your domain is example.com and you want to send your reports to test.jameswafu.com, then the recipient domain (in this case JamesWafu.com) needs to have a TXT DNS record example.com._report._dmarc.test.jameswafu.com which has the content v=DMARC1. Note: This record is something that the recipient of your DMARC reports needs to configure. 

Resolution

Contact the recipient of your report and advise him to create a TXT record which looks like this:

HostTypeTTLValue
example.com._report._dmarc.test.jameswafu.comTXT1 hourv=DMARC1

 

Your domain has more than one DMARC record. There should only be a single record.

From RFC 7489 in Section 6.6.3 Policy Discovery

If the remaining set contains multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message.

Resolution

Check through your TXT records and ensure that you only have 1 DMARC in place. Delete other DMARC with host name _dmarc.mydomain.com if there’s another one.

This is relatively easy to fix, given that you only have few DNS records.

 

For more information, here are all  the DMARC tags to know when or how to use them.

DMARC record tags

 

TagRequired?Description
vYDMARC version. Must be DMARC1.
pYInstructs the receiving mail server what to do with messages that don’t pass authentication.

none: Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the record .
quarantine: Mark the messages as spam and send it to the recipient’s spam folder. Recipients can review spam messages to identify legitimate messages.
reject: Reject the message. With this option, the receiving server usually sends a bounce message to the sending server.

pctNMust be a whole number from 1 to 100. If you don’t use this option in the record, your DMARC policy is applied to 100% of messages sent from your domain.

Specifies the percent of unauthenticated messages are subject to the DMARC policy. When you gradually deploy DMARC, you might start with a small percentage of your messages. As more messages from your domain pass authentication with receiving servers, update your record with a higher percentage, until you reach 100 percent.

Must be a whole number from 1 to 100. If you don’t use this option in the record, your DMARC policy applies to 100% of messages sent from your domain.

ruaNEmail address to receive reports about DMARC activity for your domain.

The email address must include mailto:. For example: mailto:[email protected]

To send the report to more than one email address, separate emails with a comma.

This option can potentially result in a high volume of report emails. We don’t recommend using your own email address. Instead, consider using a dedicated mailbox, a group, or a third-party service that specializes in DMARC reports.

rufNGmail doesn’t support the ruf tag, used to send failure reports. Failure reports are also called forensic reports.
spNSets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains.

none: Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the policy .
quarantine: Mark the messages as spam and send it to the recipient’s spam folder. Recipients can review spam messages to identify legitimate messages.
reject: Reject the message. With this option, the receiving server should send a bounce message to the sending server
If you don’t use this option in the record, subdomains inherit the DMARC policy set for the parent domain.

adkimNSets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures. Learn how alignment works.

s: Strict alignment. The sender domain name must exactly match the corresponding d=domainname in the DKIM mail headers.
r: Relaxed alignment (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted.

aspfNSets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures. Learn how alignment works.

s: Strict alignment. The message From header must exactly match the domain name in the SMTP MAIL FROM command
r: Relaxed alignment (default). Allows partial matches. Any valid subdomain of domain name is accepted.

You may use MX Toolbox to check if a DMARC has been added to your domain accordingly.

Back to top

Some of the links on the Website may be "affiliate links". This means if you click on the link and sign up or purchase an item, I may receive an affiliate commission at no cost to you. Please check Disclaimer for more info.

Leave a Reply