ServerRecords

Help & Troubleshooting

DMARC

What this is

DMARC (published at _dmarc.yourdomain.com) tells receivers what to do when a message claiming to be from your domain fails SPF/DKIM alignment — nothing (none), spam-folder it (quarantine), or reject it — and where to send aggregate reports.

How to read your result

Look at the p= policy and whether a rua= reporting address exists. p=none with reports is a legitimate starting state; staying there forever gives visibility without protection.

Common problems and how to fix them

No DMARC record at all

How it shows up: Anyone can spoof your exact domain in phishing mail and receivers have no instruction to stop it; you also have zero visibility into who sends as you.

How to fix it: Start with "v=DMARC1; p=none; rua=mailto:[email protected]" — it changes nothing about delivery but starts the reporting stream. Use the DMARC generator tool to build the record.

Stuck at p=none indefinitely

How it shows up: Reports flow but spoofed mail still reaches inboxes months later.

How to fix it: Review a few weeks of reports; once every legitimate source passes, move to p=quarantine (optionally with pct=25 ramping to 100), then p=reject. This staged rollout is the entire point of DMARC.

Enforcement broke legitimate mail

How it shows up: After moving to quarantine/reject, mail from some internal tool or third-party sender started disappearing.

How to fix it: That sender was never properly authenticated. Add it to SPF and/or set up DKIM signing for it, verify in reports, then restore enforcement — dropping back to p=none permanently would surrender the protection.

Reports go nowhere or overwhelm a personal inbox

How it shows up: The rua mailbox bounces (invalidating your reporting) or fills with XML attachments nobody reads.

How to fix it: Point rua at a dedicated mailbox or a DMARC report-processing service, and make sure the address actually accepts mail from external senders.

Run a look up for this record