Skip to main content

Fix Guides

How to Fix a Missing DMARC Record

Add the policy that tells receivers how to handle unauthenticated mail from your domain.

Quick fix

To fix a missing DMARC record, publish a DNS TXT record at _dmarc.yourdomain.com starting with v=DMARC1; p=none; rua=mailto:you@yourdomain.com. Ensure SPF and DKIM work first, monitor reports, then escalate to p=quarantine and p=reject. Re-scan after propagation.

DMARC builds on SPF and DKIM with an enforceable policy and reporting. Without it, receivers have no standard instruction for handling spoofed mail using your domain, and major providers increasingly expect DMARC for bulk senders.

Check your website

See how your site handles how to fix a missing dmarc record — free, no account needed.

Business impact

DMARC is your anti-phishing control: it stops criminals from sending mail that looks like it comes from your company and gives you reports on who is using your domain. Google and Yahoo now require it for bulk senders. A missing DMARC record is a visible gap in your email security posture.

Why this happens

DMARC is missing when no TXT record at _dmarc.domain contains v=DMARC1. Sometimes a record exists on the apex by mistake — it must be on the _dmarc subdomain. DMARC only works when SPF or DKIM passes and aligns with the From header, so publishing DMARC before fixing SPF/DKIM can surface deliverability issues (which is why you start at p=none).

How to confirm the issue

Manually: run nslookup -type=TXT _dmarc.yourdomain.com. No v=DMARC1 line means DMARC is missing.

With Plexa Trust: scan your domain and look for "DMARC Record Missing". After adding the record, re-scan once DNS has propagated.

Step-by-step fix

  1. Confirm SPF and DKIM are working for every legitimate sender (fix those first if not).

  2. Choose a mailbox to receive aggregate reports (rua=mailto:...).

  3. Add a TXT record: Host _dmarc, Value v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com.

  4. Wait for propagation and send test mail — check Authentication-Results for dmarc=pass.

  5. Review aggregate reports for 2–4 weeks; fix any failing senders.

  6. Escalate policy to p=quarantine, then p=reject when clean.

Platform-specific fixes

Cloudflare DNS

  1. DNS → Add record → Type TXT, Name _dmarc, Content your DMARC policy string.

  2. Example starter: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1.

  3. Save and verify with a DMARC lookup tool.

Google Workspace / Microsoft 365

  1. Neither auto-creates DMARC — you add it at your DNS host regardless of email provider.

  2. Use the same _dmarc TXT record; ensure SPF and DKIM are already configured in Admin/Defender.

  3. Optionally use a DMARC report analyser (Postmark, dmarcian, etc.) for easier report reading.

GoDaddy / Namecheap / Route 53

  1. Add TXT record with Host/Name _dmarc (some panels want _dmarc.yourdomain.com — follow their convention).

  2. Paste the full DMARC value; semicolons separate tags.

  3. Allow propagation time before testing.

DMARC monitoring services

  1. Services like Postmark DMARC, dmarcian or Valimail provide a ready-made rua address.

  2. They give you the exact TXT value to publish — often including both rua and ruf tags.

  3. Use their dashboard to identify senders before moving to p=reject.

How to verify the fix

  • Start with p=none — it is a monitoring phase, not the end state.

  • Collect and read aggregate (rua) reports before enforcing.

  • Aim for p=reject with strict alignment once all senders pass.

  • Re-scan with Plexa Trust and confirm "DMARC Record Missing" is cleared.

Common mistakes

  • Publishing DMARC on the apex domain instead of _dmarc.

  • Jumping straight to p=reject before fixing SPF/DKIM — blocks legitimate mail.

  • Leaving p=none forever so spoofing is never actually blocked.

  • No rua address — you lose visibility into misconfigured senders.

Frequently asked questions

Where does the DMARC record go?

As a TXT record at _dmarc.yourdomain.com — not on the apex domain.

What policy should I start with?

p=none monitors without blocking. Fix issues from reports, then move to quarantine and reject.

What is DMARC alignment?

The domain verified by SPF or DKIM must match the visible From domain. Alignment is what stops attackers passing checks on their own domain while spoofing yours.

Do I need DMARC if I have SPF?

Yes. SPF alone does not tell receivers what to do with failures and does not protect the visible From address fully. DMARC ties it together.

What are DMARC reports?

Aggregate (rua) XML summaries of who sent mail as your domain and whether SPF/DKIM/DMARC passed. Use them to find gaps before enforcing.

Is p=reject safe?

Once every legitimate sender passes SPF or DKIM with alignment, yes — it is the strongest anti-spoofing setting. Do not enable it prematurely.

How long until DMARC propagates?

Same as any DNS TXT record — often under an hour, up to 48 hours.

How do I confirm it worked?

Lookup _dmarc.yourdomain.com, send test mail checking dmarc=pass, and re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring