DMARC Record Invalid (Syntax and Tag Structure Errors)
DMARC lives in `_dmarc.domain` as a TXT record beginning with `v=DMARC1`. Everything after that is a `tag=value` grammar separated by semicolons. A single illegal character—like a Unicode semicolon, duplicated `p=` keys, or `sp=quarantine` misspelled—forces parsers to reject the entire record. Unlike SPF, there is no partial credit: receivers either consume a coherent policy or behave as if DMARC were missing or malformed depending on their implementation. Mixed-case tag names, line-wrapped TXT outside proper quoted spans, and accidental SPF records pasted into `_dmarc` are common sources of silent failure during migrations. Often the first step is confirming you even have a DMARC record and that the policy value matches your enforcement goal.
Updated for 2026 to reflect current Gmail, Outlook, and Yahoo behavior.
If policies are not enforced, review the DMARC setup guide.
Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.
Quick answer
- Only one DMARC TXT should answer for the organisational domain.
- Tags are `alpha=value` pairs; whitespace around `=` breaks strict parsers.
- Aggregate tags like `rua=` accept comma-separated mailto URIs—not spaces between addresses.
- Unknown experimental tags must still follow `token=value` format or be omitted.
One-Minute Fix
Rebuild the record from a known-good template: `v=DMARC1; p=…; rua=mailto:…`, ensure every tag ends with `;` except optionally the last, remove duplicate tag names, and publish a single TXT at `_dmarc.example.com` without mixing unrelated SPF content.
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"Validate with an RFC-aware checker; eyeballing in the registrar preview misses invisible Unicode.
Run free checkFree live DNS check. No signup required.
Wrong vs correct setup
Wrong setup
_dmarc.example.com TXT v=DMARC1 p=none rua=mailto:reports@example.comMissing semicolons between tags breaks tokenisation completely—even though humans read it fine.
Correct setup
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:reports@example.com;"Semicolons separate tags; trailing semicolon optional but including it avoids editor mistakes.
Why invalid DMARC slips in
Teams copy examples from blogs with soft spaces, or merge two policies during a hurried merger Friday. Some DNS UIs also auto-insert line breaks that must be recombined into valid TXT strings. Misaligned authentication paths often show up as DMARC alignment failures or a reporting address that never receives data.
Impact of an invalid record
- Receivers cannot apply requested disposition, undermining spoofing strategy.
- Monitoring endpoints never receive `rua` because policy never parsed.
- Forensic tooling shows conflicting ‘present’ vs ‘usable’ states.
- Compliance audits flag missing effective DMARC even though DNS ‘has something’.
Deliverability angle
Invalid DMARC erodes enforcement signals—messages fall back to provider heuristics, making outcomes less predictable than a deliberate `p=none` baseline. Over time, well-tuned DMARC aggregate reports and a clear policy stance are what help inbox providers separate your legitimate traffic from spoofing attempts.
Common causes
- Accidental SPF record placed at `_dmarc`.
- Duplicate `v=DMARC1;` blocks concatenated into one TXT set incorrectly.
- Mixing Google/Microsoft template fragments without merging tags.
- Using commas inside `p=` where only `none|quarantine|reject` are legal.
What we checked
We fetch `_dmarc` TXT and evaluate structural validity before semantic policy analysis. Syntax errors preempt interpretation of enforcement or reporting directives.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Does BOM at the start matter?
Invisible byte-order marks count as bad leading characters. Strip them if copy/paste introduced them.
Can comments exist inside DMARC TXT?
No—unlike SPF, DMARC has no comment syntax. Remove parenthetical notes.
What if I need many RUA endpoints?
Use comma-separated mailto URIs without spaces; verify each mailbox accepts reports.
Next steps
- Back up existing TXT then delete conflicting duplicates.
- Paste policy into a plain-text validator before publish.
- Republish a single coherent record.
- Query DNS globally to confirm one authoritative answer.
- Run aggregate report arrival checks after syntax passes.
- Review the full troubleshooting guidance in the DMARC Hub.
- Explore sender authorization issues in the SPF Hub.
- Check signing and selector issues in the DKIM Hub.