Your domain does not have a DMARC TXT record at _dmarc.yourdomain.com. Without DMARC, there is no policy telling receivers what to do with emails that fail SPF and DKIM authentication.
Add a DMARC TXT record at `_dmarc.yourdomain.com`.
No DMARC DNS record was found for your domain. This means even if you have SPF and DKIM configured, there is no policy instructing receivers on how to handle authentication failures.
DMARC is the policy layer that ties SPF and DKIM together. Without it, spoofed emails from your domain have a higher chance of being delivered. Google and Yahoo require DMARC for bulk senders.
Start with a monitoring-only policy to collect data before enforcing.
v=DMARC1; p=none; rua=mailto:[email protected]Create a TXT record at the _dmarc subdomain.
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
TTL: 3600The rua address will receive aggregate reports. Consider using a DMARC report processor to parse the XML reports into readable dashboards.
Check that the DMARC record is published and parseable.
dig +short TXT _dmarc.yourdomain.com
# Expected: "v=DMARC1; p=none; rua=mailto:[email protected]"After 2-4 weeks of monitoring reports, plan to upgrade to p=quarantine and eventually p=reject.
After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
The simplest functional DMARC record is: v=DMARC1; p=none; rua=mailto:[email protected] — This monitors without enforcing, and sends you aggregate reports.
DMARC checks alignment with SPF and/or DKIM, so at least one should be configured. Ideally, set up both SPF and DKIM before deploying DMARC.
As of 2024, Google and Yahoo require DMARC for domains sending more than 5,000 emails per day. Even for smaller senders, DMARC is strongly recommended.