No DMARC Record Found: How To Fix DMARC Errors?
There are few reasons why you will encounter a DMARC error like No DMARC Record Found. One common reason is it has never been added in the DNS yet. DMARC record by default is not added in the DNS of your domain, which means you need to add it manually.
Some other reasons are due to wrong configuration
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard email authentication method. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain.
DMARC also lets you request reports from email servers that get messages from your organization or domain. These reports have information to help you identify possible authentication issues and malicious activity for messages sent from your domain.
Example DMARC record:
Host | Type | TTL | Value |
_dmarc.mydomain.com | TXT | 1 hour | v=DMARC1; p=quarantine; rua=mailto:[email protected] |
Here are some example DMARC errors and how fix those:
No DMARC Record Found or DMARC Record Published Failed
If you encounter an error No DMARC Record found, there are few possible reasons why it happens.
Possible issues
- DMARC record was added very recently and hasn’t been detected yet by your service provider yet. You may need to wait up 48 hours to propagate.
- The DMACR record might have been setup incorrectly.
- Ex. the host _dmarc.mydomain.com should be mapped to the value but the @ or www was mapped instead.
- Literally there’s no DMARC record in the DNS yet.
DMARC Records are published via DNS as a text(TXT) record. They will let receiving servers know what they should do with non-aligned email received from your domain.
Resolution
Create or modify the DMARC in the DNS of your domain. Here’s an example basic DMARC record to be added.
Host | Type | TTL | Value |
_dmarc.mydomain.com | TXT | 1 hour | v=DMARC1; p=quarantine; rua=mailto:[email protected] |
This record will directly send an incoming email to your spam folder if it fails authentication and sends you a report to your preferred email.
Note: Depending on the domain registrar, the host can be _dmarc. or _dmarc.mydomain.com.
No DMARC Protection
This Warning indicates that the DMARC record for this domain is not currently protected against phishing and spoofing threats.
You may have a DMARC present in the DNS, but it’s possible that the policy(p) tag is set to none.
Example DMARC with no protection:
Host | Type | TTL | Value |
_dmarc.mydomain.com | TXT | 1 hour | v=DMARC1; p=none; rua=mailto:[email protected] |
Resolution
To resolve this Warning you will need to set a Quarantine or Reject policy on the domain’s DMARC record. Setting a Quarantine or Reject value will prevent fraudsters from spoofing the domain as mail servers will Quarantine or Reject messages that fail authentication tests.
Policy tags (p)
none | No action is taken on messages that don’t pass the DMARC checks by the receiving server. Messages are delivered normally to the recipient. |
quarantine | Messages that aren’t authenticated with DMARC by the receiving server are sent to the recipient’s spam folder. If the receiving mail server has a quarantine configured, messages might be sent to quarantine, not directly to the recipient’s spam folder. |
reject | Messages that aren’t authenticated with DMARC by the receiving server are rejected, and never delivered to the recipient. The receiving server usually sends a bounce message to the sender. |
DMARC Syntax Invalid
The syntax within the DMARC record found is not valid. Invalid syntax in your DMARC record can impact email deliverability.
Example wrong syntax:
Host | Type | TTL | Value |
_dmarc.mydomain.com | TXT | 1 hour | DMARC; p=none; mailto:[email protected] |
On this example, the value is wrong because the both v= and rua= syntax are missing.
Resolution
Double-check the value of your DMARC and update it accordingly.
The correct syntax should be either “v=DMARC1; p=quarantine; rua=mailto:[email protected]” or “v=DMARC1; p=reject; rua=mailto:[email protected]”.
External Domains in your DMARC are not giving permission for your reports to be sent to them.
If you see this error, one of the “rua” or “ruf” email addresses in your report does not have a DNS TXT record verifying that they wish to receive DMARC reports for your domain.
If you want to send your DMARC reports to a domain other than the one that the record is for, then the receiving domain needs to configure a DNS record so that Email Service Providers know that the recipient is authorizing the the reports.
From RFC-7489
Verifying External Destinations
It is possible to specify destinations for the different reports that are outside the authority of the Domain Owner making the request.
This allows domains that do not operate mail servers to request reports and have them go someplace that is able to receive and process them.
Without checks, this would allow a bad actor to publish a DMARC policy record that requests that reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations; the victim will in turn be flooded with unwanted reports. Therefore, a verification mechanism is included.
For example: If your domain is example.com and you want to send your reports to test.jameswafu.com, then the recipient domain (in this case JamesWafu.com) needs to have a TXT DNS record example.com._report._dmarc.test.jameswafu.com which has the content v=DMARC1. Note: This record is something that the recipient of your DMARC reports needs to configure.
Resolution
Contact the recipient of your report and advise him to create a TXT record which looks like this:
Host | Type | TTL | Value |
example.com._report._dmarc.test.jameswafu.com | TXT | 1 hour | v=DMARC1 |
Your domain has more than one DMARC record. There should only be a single record.
From RFC 7489 in Section 6.6.3 Policy Discovery
If the remaining set contains multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message.
Resolution
Check through your TXT records and ensure that you only have 1 DMARC in place. Delete other DMARC with host name _dmarc.mydomain.com if there’s another one.
This is relatively easy to fix, given that you only have few DNS records.
For more information, here are all the DMARC tags to know when or how to use them.
DMARC record tags
Tag | Required? | Description |
v | Y | DMARC version. Must be DMARC1. |
p | Y | Instructs the receiving mail server what to do with messages that don’t pass authentication. none: Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the record . |
pct | N | Must be a whole number from 1 to 100. If you don’t use this option in the record, your DMARC policy is applied to 100% of messages sent from your domain. Specifies the percent of unauthenticated messages are subject to the DMARC policy. When you gradually deploy DMARC, you might start with a small percentage of your messages. As more messages from your domain pass authentication with receiving servers, update your record with a higher percentage, until you reach 100 percent. Must be a whole number from 1 to 100. If you don’t use this option in the record, your DMARC policy applies to 100% of messages sent from your domain. |
rua | N | Email address to receive reports about DMARC activity for your domain. The email address must include mailto:. For example: mailto:[email protected] To send the report to more than one email address, separate emails with a comma. This option can potentially result in a high volume of report emails. We don’t recommend using your own email address. Instead, consider using a dedicated mailbox, a group, or a third-party service that specializes in DMARC reports. |
ruf | N | Gmail doesn’t support the ruf tag, used to send failure reports. Failure reports are also called forensic reports. |
sp | N | Sets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains. none: Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the policy . |
adkim | N | Sets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures. Learn how alignment works. s: Strict alignment. The sender domain name must exactly match the corresponding d=domainname in the DKIM mail headers. |
aspf | N | Sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures. Learn how alignment works. s: Strict alignment. The message From header must exactly match the domain name in the SMTP MAIL FROM command |
You may use MX Toolbox to check if a DMARC has been added to your domain accordingly.
Some of the links on the Website may be "affiliate links". This means if you click on the link and sign up or purchase an item, I may receive an affiliate commission at no cost to you. Please check Disclaimer for more info.