DMARC Record Not Found: Causes and How to Fix It

You ran a DMARC check and got an error: “No DMARC record found” or “DMARC record missing.” Maybe a security scanner flagged your domain. Maybe your email provider is warning you about authentication.

This guide covers every reason this happens and exactly how to fix it.

Quick Diagnosis

Before diving into causes, run your domain through a DMARC checker. The results will tell you which category your problem falls into:

What You See	Likely Cause	Jump To
No record found at all	Record doesn’t exist or wrong location	Record doesn’t exist
Record found but invalid	Syntax error	Syntax errors
Record works in some tools, not others	DNS propagation	Propagation issues
Record exists but reports aren’t arriving	External domain permission	External domain permission

The Record Doesn’t Exist

The simplest cause: you haven’t created a DMARC record yet.

How to Check

Query your DNS directly:

dig +short TXT _dmarc.yourdomain.com

If this returns nothing, you don’t have a DMARC record.

How to Fix

Add a TXT record to your domain’s DNS:

Field	Value
Type	TXT
Host / Name	_dmarc
Value	v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
TTL	3600 (or default)

Replace dmarc@yourdomain.com with an email address you control where you want to receive reports.

DNS provider notes:

• Some providers want just _dmarc as the host
• Others want the full _dmarc.yourdomain.com
• Check your provider’s documentation if unsure

After adding the record, wait 15-60 minutes for propagation, then verify with our DMARC checker.

Record Published at Wrong Location

DMARC records must be at a specific DNS location. A common mistake is putting the record in the wrong place.

Correct Location

_dmarc.yourdomain.com

Common Mistakes

Wrong	Why It Fails
yourdomain.com	Missing the _dmarc subdomain
dmarc.yourdomain.com	Missing the underscore
_dmarc_.yourdomain.com	Extra underscore
_DMARC.yourdomain.com	Case shouldn’t matter, but some systems are picky

How to Check

dig +short TXT _dmarc.yourdomain.com

If you get results, your record is in the right place. If not, check if you accidentally put it somewhere else:

dig +short TXT yourdomain.com | grep -i dmarc
dig +short TXT dmarc.yourdomain.com

If either of these returns your DMARC record, you’ve found the problem. Delete the misplaced record and create a new one at the correct location.

Syntax Errors in Your Record

A DMARC record with syntax errors may be treated as invalid or nonexistent by receivers.

Required Format

A valid DMARC record must:

• Start with v=DMARC1 (this must be the first tag)
• Include a policy tag p=none, p=quarantine, or p=reject
• Use semicolons between tags
• Have no spaces around the equals signs in tags

Valid Examples

v=DMARC1; p=none;
v=DMARC1; p=none; rua=mailto:dmarc@example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Common Syntax Errors

Missing v=DMARC1 or not first:

# Wrong - p= comes before v=
p=none; v=DMARC1; rua=mailto:dmarc@example.com

# Correct
v=DMARC1; p=none; rua=mailto:dmarc@example.com

Typos in tag names:

# Wrong - "policy" instead of "p"
v=DMARC1; policy=none;

# Wrong - misspelled "quarantine"
v=DMARC1; p=quaratine;

# Correct
v=DMARC1; p=quarantine;

Missing semicolons:

# Wrong - no semicolon after p=none
v=DMARC1; p=none rua=mailto:dmarc@example.com

# Correct
v=DMARC1; p=none; rua=mailto:dmarc@example.com

Invalid email format in rua:

# Wrong - missing mailto:
v=DMARC1; p=none; rua=dmarc@example.com

# Correct
v=DMARC1; p=none; rua=mailto:dmarc@example.com

Extra quotes or characters:

# Wrong - quotes around the value
v=DMARC1; p="none";

# Wrong - trailing comma
v=DMARC1; p=none; rua=mailto:dmarc@example.com,

# Correct
v=DMARC1; p=none; rua=mailto:dmarc@example.com

How to Fix

Use our DMARC checker to validate your record syntax. It will identify specific errors and show you what to fix.

DNS Propagation Delays

You added the record, but tools still say it’s missing. DNS propagation takes time.

Typical Timeline

• 15-60 minutes: Most DNS changes propagate within this window
• Up to 24 hours: Some resolvers with aggressive caching may take longer
• Up to 48 hours: Rare, but possible with certain configurations

How to Check Propagation

Use tools that query multiple global DNS servers:

• whatsmydns.net
• dnschecker.org

These show whether your record is visible from different locations worldwide. If some servers see it and others don’t, propagation is still in progress.

How to Speed It Up

You can’t force faster propagation, but you can:

1. Lower TTL before making changes: If you set TTL to 300 (5 minutes) before updating records, changes propagate faster. Return TTL to 3600+ after verification.

2. Flush local DNS cache: On your machine:

   # macOS
   sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
   
   # Windows
   ipconfig /flushdns
   
   # Linux
   sudo systemd-resolve --flush-caches

3. Try different DNS resolvers: Test with Google (8.8.8.8), Cloudflare (1.1.1.1), or your ISP’s resolver to see if propagation differs.

Multiple DMARC Records

Having more than one DMARC record on a domain causes undefined behavior. Some receivers will use the first record, others the second, and many will treat it as no record at all.

How to Check

dig +short TXT _dmarc.yourdomain.com

If you see multiple records returned, you have duplicates.

How to Fix

Delete all DMARC records except one. Keep the record with your intended policy and reporting address.

After deletion, wait for propagation and verify only one record remains.

External Domains Not Giving Permission

This error appears when you try to send DMARC aggregate reports to an email address outside your domain:

“External domains in your DMARC are not giving permission for your reports to be sent to them.”

Why This Happens

DMARC has a security feature to prevent report spam. If your DMARC record says to send reports to reports@thirdparty.com, the receiving domain (thirdparty.com) must explicitly authorize this.

Without authorization, report senders will see your rua address, check if the destination domain permits it, find no permission record, and skip sending reports.

Your DMARC record is valid. Authentication still works. You just won’t receive reports at that address.

Example Scenario

Your domain: yourcompany.com Your DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@monitoringservice.com

For this to work, monitoringservice.com must have a DNS record authorizing reports for your domain.

How External Authorization Works

The external domain must publish a TXT record at:

yourcompany.com._report._dmarc.monitoringservice.com

With the value:

v=DMARC1

This tells report senders: “Yes, monitoringservice.com accepts DMARC reports for yourcompany.com.”

How to Fix

Option 1: Use your own domain

The simplest fix is sending reports to an address on your own domain:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com

No external authorization needed. You control both the sending policy and the receiving address.

Option 2: Ask the external domain to authorize

If you’re using a DMARC monitoring service, they should have already set up authorization records for their customers. Contact their support if reports aren’t arriving.

If you’re sending to a partner or vendor’s address, they need to add the authorization record to their DNS.

Option 3: Use multiple rua addresses

You can specify multiple report destinations:

v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com,mailto:dmarc@monitoringservice.com

Reports go to both addresses. If the external domain isn’t authorized, you’ll still receive reports at your own address.

Verifying External Authorization

Check if the authorization record exists:

dig +short TXT yourcompany.com._report._dmarc.monitoringservice.com

If it returns v=DMARC1, authorization is in place. If it returns nothing, that’s your problem.

Subdomain DMARC Issues

DMARC records at the organizational domain (yourdomain.com) apply to all subdomains by default. But there are edge cases.

Subdomains Inherit Parent Policy

If you have:

_dmarc.yourdomain.com: v=DMARC1; p=reject

Then mail.yourdomain.com, marketing.yourdomain.com, and all other subdomains inherit p=reject unless they have their own DMARC record.

Overriding with Subdomain-Specific Records

You can publish a DMARC record for a specific subdomain:

_dmarc.mail.yourdomain.com: v=DMARC1; p=none

This subdomain now uses p=none while others still inherit from the parent.

The sp= Tag

The sp= tag in your main DMARC record sets a different policy specifically for subdomains:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@yourdomain.com

This means:

• Main domain uses p=reject
• All subdomains use p=quarantine (unless they have their own record)

See our guide to DMARC for subdomains for detailed configuration options.

Verifying Your Fix

After making changes, verify everything is working:

Step 1: Check DNS

dig +short TXT _dmarc.yourdomain.com

You should see your DMARC record with correct syntax.

Step 2: Use a DMARC Validator

Run your domain through our DMARC checker. It validates:

• Record exists at correct location
• Syntax is valid
• Policy is recognized
• Reporting addresses are properly formatted

Step 3: Wait for Reports

If you added or fixed your rua address, aggregate reports typically start arriving within 24-48 hours. Some large senders (Google, Microsoft, Yahoo) send daily reports. Smaller senders may batch weekly.

Step 4: Monitor Ongoing

DMARC isn’t set-and-forget. DNS changes, expired records, or misconfigurations can break your setup over time. Use continuous monitoring to catch issues before they affect deliverability.

Still Not Working?

If you’ve verified everything above and still see “DMARC record not found”:

1. Try different validation tools. Some tools cache results or have bugs. Try MXToolbox, dmarcian, and our DMARC checker.

2. Check for invisible characters. Copy-pasting from documents can introduce hidden characters. Delete the record, retype it manually, and publish again.

3. Verify DNS provider is updating. Log into your DNS provider and confirm the record actually saved. Some providers have delays or require explicit “publish” actions.

4. Check for DNS provider conflicts. Some providers (especially those with email security add-ons) may have their own DMARC management that conflicts with manual records.

5. Contact your DNS provider. If nothing else works, your provider’s support can check for account-specific issues.

---

Next Steps

Once your DMARC record is found and valid:

1. Monitor your reports to understand who’s sending email as your domain
2. Fix authentication issues for any legitimate senders that are failing
3. Progress to enforcement by moving from p=none to p=quarantine to p=reject

Use our DMARC checker to validate your current setup, or start monitoring for continuous visibility into your email authentication.