No DMARC Record Found
If a domain does not publish a DMARC record, mailbox providers cannot apply a domain-level policy for authentication failures. DMARC acts as the policy layer that interprets SPF and DKIM results and instructs receivers how to treat suspicious messages. Without a DMARC record, spoofed emails pretending to come from your domain may still reach recipients.
One-Minute Fix
Publish a valid DMARC TXT record under the _dmarc subdomain of your domain.
v=DMARC1; p=none; rua=mailto:dmarc@example.comThis monitoring policy lets you collect DMARC reports before moving to stricter enforcement such as quarantine or reject.
Re-checkWrong vs correct setup
Wrong setup
# No TXT record published at _dmarc.example.comThis is broken because the domain publishes no DMARC policy at all. Receivers can still evaluate SPF and DKIM, but they do not have a domain-level instruction for what to do when authentication fails.
Correct setup
v=DMARC1; p=none; rua=mailto:dmarc@example.comThis is the correct starting pattern. The domain publishes a valid DMARC policy, enabling reporting and making later enforcement possible.
Why this happens
Many domains configure SPF or DKIM but never add a DMARC policy. Others lose their DMARC record during DNS migrations, provider changes, or manual cleanup of authentication records.
Why this is a problem
- Mailbox providers cannot enforce anti-spoofing policies for your domain.
- Phishing emails can impersonate your domain more easily.
- You lose visibility into authentication failures.
- DMARC aggregate and forensic reporting is unavailable.
How this affects deliverability
Domains without DMARC policies appear less mature and less controlled to mailbox providers. Over time, this can weaken trust in the domain and make abuse harder to contain.
Common causes
- SPF and DKIM were configured but DMARC was never deployed.
- DNS migrations accidentally removed the DMARC record.
- Teams assumed SPF alone was enough protection.
- Email providers did not automatically generate a DMARC policy.
What we checked
We looked for a TXT record under _dmarc.yourdomain that begins with v=DMARC1. If none exists, the domain has no published DMARC policy.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Can email still work without DMARC?
Yes. Mail can still be delivered, but receivers do not have a domain-level enforcement policy for messages that fail SPF or DKIM alignment.
Should I start with p=reject immediately?
Usually no. Most domains start with p=none to collect reports and confirm legitimate senders before moving to quarantine or reject.
Where must the DMARC record be published?
At the _dmarc subdomain, for example _dmarc.example.com, as a TXT record beginning with v=DMARC1.
Next steps
- Publish a DMARC TXT record under _dmarc.
- Start with p=none unless you have already audited all legitimate senders.
- Add a valid rua mailbox to receive aggregate reports.
- Review report data before increasing enforcement.
- Re-run the check after DNS propagation.
- Review the full troubleshooting guidance in the DMARC Hub.
- Explore sender authorization issues in the SPF Hub.
- Check signing and selector issues in the DKIM Hub.