"\"No DMARC Record Found\" — What It Means and How to Add One"
What Does "No DMARC Record Found" Mean?
It means your domain does not have a DMARC DNS record, so receiving mail servers have no policy for handling emails that fail authentication. Without DMARC, anyone can send email that appears to come from your domain, and recipients have no way to verify whether it is legitimate.
This is not just a security gap — it also affects deliverability. Google and Yahoo now require a DMARC record for domains that send bulk email. Without one, your messages may be throttled, flagged as spam, or rejected.
How to Check If You Have a DMARC Record
Run this command:
dig +short TXT _dmarc.yourdomain.com
If the result is empty, you do not have a DMARC record. If it returns something like v=DMARC1; p=none; ..., you already have one.
You can also check using nslookup:
nslookup -type=TXT _dmarc.yourdomain.com
How to Add a DMARC Record
Step 1: Choose Your Starting Policy
Start with p=none — this enables monitoring without affecting email delivery:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
| Tag | Meaning |
|---|---|
v=DMARC1 | Protocol version (required) |
p=none | Policy: monitor only, do not block anything |
rua=mailto:... | Where to send aggregate reports |
Step 2: Add the DNS Record
Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, Namecheap, etc.) and create a new TXT record:
- Host/Name:
_dmarc - Type:
TXT - Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com - TTL: 3600 (or your provider's default)
The record lives at _dmarc.yourdomain.com — most DNS providers will automatically append your domain to _dmarc.
Step 3: Verify the Record
Wait a few minutes for DNS propagation, then verify:
dig +short TXT _dmarc.yourdomain.com
You should see your DMARC record in the response.
Step 4: Monitor Your Reports
Within 24–48 hours, you will start receiving aggregate reports from mail providers (Google, Microsoft, Yahoo, etc.) at the email address you specified in the rua tag. These reports are in XML format and contain data about:
- Who is sending email on behalf of your domain
- Whether those emails pass or fail SPF and DKIM
- What volume is coming from each source
Understanding DMARC Record Tags
Here is a complete reference for all DMARC tags:
| Tag | Required | Values | Description |
|---|---|---|---|
v | Yes | DMARC1 | Protocol version |
p | Yes | none, quarantine, reject | Policy for your domain |
rua | No (but strongly recommended) | mailto:address | Aggregate report destination |
ruf | No | mailto:address | Forensic report destination |
sp | No | none, quarantine, reject | Policy for subdomains |
adkim | No | r (relaxed), s (strict) | DKIM alignment mode (default: relaxed) |
aspf | No | r (relaxed), s (strict) | SPF alignment mode (default: relaxed) |
pct | No | 0–100 | Percentage of failing emails to apply policy to |
fo | No | 0, 1, d, s | Failure reporting options |
Prerequisites: Do You Have SPF and DKIM?
DMARC depends on SPF and DKIM. Before your DMARC record can be useful, verify:
SPF: Check for an existing SPF record:
dig +short TXT yourdomain.com | grep spf
If you do not have one, add a TXT record to your root domain listing your authorized senders. Example for Google Workspace:
v=spf1 include:_spf.google.com ~all
DKIM: DKIM configuration depends on your email provider. Check your provider's documentation for generating and publishing DKIM keys. You can verify DKIM is working by checking the headers of a sent email for a DKIM-Signature header with your domain.
What Happens After You Add a DMARC Record?
With p=none, nothing changes about your email delivery. Emails that fail authentication are still delivered — you are just collecting data. This is the safe way to start.
Your next steps:
- Read your reports — Identify all services sending email on your behalf
- Authorize legitimate senders — Make sure each one passes SPF or DKIM alignment
- Move to
p=quarantine— Failing emails go to spam instead of the inbox - Move to
p=reject— Failing emails are blocked entirely
This progression typically takes 4–8 weeks, depending on how many sending services you use and how quickly you can configure them.
FAQ
Is DMARC required?
For bulk email senders (5,000+ messages/day), yes — Google and Yahoo require a DMARC record. For smaller senders, it is not technically required but is strongly recommended. Without DMARC, your domain is unprotected against spoofing.
Will adding a DMARC record break my email?
No — not if you start with p=none. This policy tells receivers to deliver all email normally and just send you reports. It has zero impact on delivery. Only p=quarantine and p=reject affect delivery.
Can I use a free email address for the rua tag?
Yes, you can use any email address (e.g., dmarc-reports@gmail.com). However, if the rua address is on a different domain than the DMARC record, the receiving domain must publish a corresponding DNS record authorizing it to receive reports. Using an address on your own domain avoids this extra step.
How often do aggregate reports arrive?
Most email providers send aggregate reports once every 24 hours, though some may send them more or less frequently. The reports cover all email activity for your domain during that period.