To fix a missing DMARC record, publish a DNS TXT record at _dmarc.yourdomain.com starting with v=DMARC1; p=none; rua=mailto:you@yourdomain.com. Ensure SPF and DKIM work first, monitor reports, then escalate to p=quarantine and p=reject. Re-scan after propagation.
DMARC builds on SPF and DKIM with an enforceable policy and reporting. Without it, receivers have no standard instruction for handling spoofed mail using your domain, and major providers increasingly expect DMARC for bulk senders.
Check your website
See how your site handles how to fix a missing dmarc record — free, no account needed.
Business impact
DMARC is your anti-phishing control: it stops criminals from sending mail that looks like it comes from your company and gives you reports on who is using your domain. Google and Yahoo now require it for bulk senders. A missing DMARC record is a visible gap in your email security posture.
Why this happens
DMARC is missing when no TXT record at _dmarc.domain contains v=DMARC1. Sometimes a record exists on the apex by mistake — it must be on the _dmarc subdomain. DMARC only works when SPF or DKIM passes and aligns with the From header, so publishing DMARC before fixing SPF/DKIM can surface deliverability issues (which is why you start at p=none).
How to confirm the issue
Manually: run nslookup -type=TXT _dmarc.yourdomain.com. No v=DMARC1 line means DMARC is missing.
With Plexa Trust: scan your domain and look for "DMARC Record Missing". After adding the record, re-scan once DNS has propagated.
Step-by-step fix
Confirm SPF and DKIM are working for every legitimate sender (fix those first if not).
Choose a mailbox to receive aggregate reports (
rua=mailto:...).Add a TXT record: Host
_dmarc, Valuev=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com.Wait for propagation and send test mail — check Authentication-Results for dmarc=pass.
Review aggregate reports for 2–4 weeks; fix any failing senders.
Escalate policy to
p=quarantine, thenp=rejectwhen clean.
Platform-specific fixes
Cloudflare DNS
DNS → Add record → Type TXT, Name
_dmarc, Content your DMARC policy string.Example starter:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1.Save and verify with a DMARC lookup tool.
Google Workspace / Microsoft 365
Neither auto-creates DMARC — you add it at your DNS host regardless of email provider.
Use the same _dmarc TXT record; ensure SPF and DKIM are already configured in Admin/Defender.
Optionally use a DMARC report analyser (Postmark, dmarcian, etc.) for easier report reading.
GoDaddy / Namecheap / Route 53
Add TXT record with Host/Name
_dmarc(some panels want_dmarc.yourdomain.com— follow their convention).Paste the full DMARC value; semicolons separate tags.
Allow propagation time before testing.
DMARC monitoring services
Services like Postmark DMARC, dmarcian or Valimail provide a ready-made rua address.
They give you the exact TXT value to publish — often including both rua and ruf tags.
Use their dashboard to identify senders before moving to p=reject.
How to verify the fix
Start with
p=none— it is a monitoring phase, not the end state.Collect and read aggregate (rua) reports before enforcing.
Aim for
p=rejectwith strict alignment once all senders pass.Re-scan with Plexa Trust and confirm "DMARC Record Missing" is cleared.
Common mistakes
Publishing DMARC on the apex domain instead of
_dmarc.Jumping straight to
p=rejectbefore fixing SPF/DKIM — blocks legitimate mail.Leaving
p=noneforever so spoofing is never actually blocked.No rua address — you lose visibility into misconfigured senders.
Frequently asked questions
Where does the DMARC record go?
As a TXT record at _dmarc.yourdomain.com — not on the apex domain.
What policy should I start with?
p=none monitors without blocking. Fix issues from reports, then move to quarantine and reject.
What is DMARC alignment?
The domain verified by SPF or DKIM must match the visible From domain. Alignment is what stops attackers passing checks on their own domain while spoofing yours.
Do I need DMARC if I have SPF?
Yes. SPF alone does not tell receivers what to do with failures and does not protect the visible From address fully. DMARC ties it together.
What are DMARC reports?
Aggregate (rua) XML summaries of who sent mail as your domain and whether SPF/DKIM/DMARC passed. Use them to find gaps before enforcing.
Is p=reject safe?
Once every legitimate sender passes SPF or DKIM with alignment, yes — it is the strongest anti-spoofing setting. Do not enable it prematurely.
How long until DMARC propagates?
Same as any DNS TXT record — often under an hour, up to 48 hours.
How do I confirm it worked?
Lookup _dmarc.yourdomain.com, send test mail checking dmarc=pass, and re-scan with Plexa Trust.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan