Help & Troubleshooting
DMARC
What this is
DMARC (published at _dmarc.yourdomain.com) tells receivers what to do when a message claiming to be from your domain fails SPF/DKIM alignment — nothing (none), spam-folder it (quarantine), or reject it — and where to send aggregate reports.
How to read your result
Look at the p= policy and whether a rua= reporting address exists. p=none with reports is a legitimate starting state; staying there forever gives visibility without protection.
Common problems and how to fix them
No DMARC record at all
How it shows up: Anyone can spoof your exact domain in phishing mail and receivers have no instruction to stop it; you also have zero visibility into who sends as you.
How to fix it: Start with "v=DMARC1; p=none; rua=mailto:[email protected]" — it changes nothing about delivery but starts the reporting stream. Use the DMARC generator tool to build the record.
Stuck at p=none indefinitely
How it shows up: Reports flow but spoofed mail still reaches inboxes months later.
How to fix it: Review a few weeks of reports; once every legitimate source passes, move to p=quarantine (optionally with pct=25 ramping to 100), then p=reject. This staged rollout is the entire point of DMARC.
Enforcement broke legitimate mail
How it shows up: After moving to quarantine/reject, mail from some internal tool or third-party sender started disappearing.
How to fix it: That sender was never properly authenticated. Add it to SPF and/or set up DKIM signing for it, verify in reports, then restore enforcement — dropping back to p=none permanently would surrender the protection.
Reports go nowhere or overwhelm a personal inbox
How it shows up: The rua mailbox bounces (invalidating your reporting) or fills with XML attachments nobody reads.
How to fix it: Point rua at a dedicated mailbox or a DMARC report-processing service, and make sure the address actually accepts mail from external senders.