How do I add a DMARC record?

Add a TXT record in your DNS with the host '_dmarc' and the value 'v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com'. Start with p=none to monitor, then upgrade to p=quarantine or p=reject once you confirm legitimate email passes.

Why is DMARC important for email security?

DMARC prevents attackers from sending emails that appear to come from your domain. It also gives you visibility into who is sending email on your behalf through aggregate reports, and improves deliverability with major providers like Google, Microsoft, and Yahoo.

Can a missing DMARC record cause emails to go to spam?

Yes. Email providers like Google, Microsoft, and Yahoo use DMARC as a trust signal when deciding where to deliver messages. A missing DMARC record reduces your domain's email authentication score, which can cause legitimate emails to be filtered into spam or junk folders.

How do I stop someone spoofing my email domain?

Set up three DNS records: SPF (to list authorised sending servers), DKIM (to add cryptographic signatures to emails), and DMARC (to tell providers what to do when authentication fails). Start DMARC with p=none to monitor, then upgrade to p=reject once all legitimate senders pass.

Last updated: 22 March 2026

No DMARC policy: what it means and how to fix it

Q: What does 'no DMARC policy' mean?

It means your domain does not have a DMARC DNS record. Without one, there is no policy telling email providers how to handle messages that fail SPF or DKIM authentication, leaving your domain vulnerable to email spoofing.

A missing DMARC record means your domain has no policy telling email providers how to handle messages that fail authentication. This leaves your domain open to email spoofing, can cause legitimate emails to land in spam, and hurts deliverability with providers like Google and Microsoft. Without DMARC, you also have no visibility into who is sending email as your domain.

Fix: Add a TXT record at _dmarc.yourdomain.com with the value v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. It takes about 2 minutes.

Quick fix Add a DMARC record in 2 minutes

Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, Namecheap, or similar).
Go to the DNS records section for your domain.
Add a new TXT record:

Host / Name: _dmarc
Type: TXT
Value:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r

TTL: 3600 (or your provider's default)

Replace dmarc-reports@yourdomain.com with your actual email. This starts DMARC in monitoring mode. You will receive reports but no emails will be blocked.

What is DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving mail servers what to do when an email claiming to be from your domain fails SPF or DKIM checks.

It works alongside SPF and DKIM to form a three-layer email authentication system. SPF verifies which servers are allowed to send email for your domain. DKIM adds a cryptographic signature to each message. DMARC ties them together by defining a policy: what should happen when those checks fail.

DMARC also enables reporting. When you publish a DMARC record with a rua tag, email providers send you aggregate reports showing who is sending email on your behalf, whether it passed or failed authentication, and from which IP addresses. This gives you visibility into both legitimate senders and potential spoofing attempts.

What a DMARC record looks like

A DMARC record is a TXT entry in your DNS, published at _dmarc.yourdomain.com.

DMARC TXT record in DNS

Type	Host	Value	TTL
TXT	_dmarc	v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com	3600

Here is a full example record with each tag explained:

# Tag breakdown
v=DMARC1;           # Protocol version (required, must be first)
p=quarantine;        # Policy: none | quarantine | reject
rua=mailto:dmarc@example.com;  # Aggregate report destination
ruf=mailto:forensics@example.com;  # Forensic report destination (optional)
adkim=r;             # DKIM alignment: r (relaxed) | s (strict)
aspf=r;              # SPF alignment: r (relaxed) | s (strict)
pct=100              # Percentage of messages to apply policy to

How DMARC authentication works

✉

Email arrives at the receiving mail server

↓

☑

SPF check: Was this sent from an authorised server?

↓

☑

DKIM check: Is the cryptographic signature valid?

↓

📜

DMARC policy lookup: Check _dmarc.domain.com for instructions

↓

✓

Both pass: Email is delivered normally

✗

Fails: Apply policy (none, quarantine, or reject)

DMARC policy levels

p=none Monitor only. Emails that fail are still delivered. You receive reports to understand your email traffic. Start here.

p=quarantine Flag suspicious email. Failing emails are sent to spam or junk. Use this once you trust your SPF and DKIM setup.

p=reject Block spoofed email. Failing emails are rejected entirely. This is the strongest protection against email spoofing.

Without vs with DMARC

The difference is straightforward. Think of DMARC as a policy sign on your front door.

Without DMARC

Email providers guess what to do with suspicious messages
Spoofed emails may be delivered to inboxes
No visibility into who is sending as your domain
Legitimate emails more likely to land in spam

With DMARC

Clear policy tells providers how to handle failures
Spoofed emails are flagged, quarantined, or blocked
Aggregate reports show all sending activity
Improved deliverability with Google, Microsoft, and Yahoo

Why this matters

When no DMARC record exists, email providers make their own decisions about suspicious messages. Most will still deliver them, which means spoofed emails can reach inboxes unchallenged. This creates several problems:

Email spoofing. Anyone can send phishing emails that look like they come from your domain. This is used to target your customers, partners, and employees.
No visibility. Without DMARC reporting, you cannot see who is sending email using your domain name. You have no way to detect abuse.
Deliverability impact. Google, Microsoft, and Yahoo increasingly require DMARC. As of February 2024, Google and Yahoo require DMARC for domains sending more than 5,000 emails per day. Missing it can hurt your delivery rates.
Brand damage. Spoofed emails erode trust in your brand and can lead to your domain being blocklisted by email providers.
Compliance requirements. Many industries (finance, healthcare, government) require DMARC as part of their security standards. PCI DSS 4.0 also recommends it.

DMARC is now a standard requirement for modern email security and is increasingly enforced by major providers like Google and Microsoft. It is no longer optional for domains that send email.

How to tell if this is your issue

Not sure if a missing DMARC record is causing your problem? These are common signs that point to email authentication issues:

Your emails are going to spam. If recipients report that your messages land in junk or spam folders, a missing DMARC record may be a contributing factor. Email providers use DMARC as a trust signal when deciding where to place messages.
You received a security warning from Google or Microsoft. Both providers now send alerts to domain administrators when they detect authentication gaps. If you received a notification about email authentication, check your DMARC record first.
Someone reported a phishing email from your domain. If a customer, partner, or colleague received a suspicious email that appeared to come from your domain, a missing DMARC record means there was nothing in place to stop it.
You are setting up email on a new domain. If you have just registered a domain or are configuring email for the first time, adding DMARC alongside your SPF record should be part of your initial setup.
A domain health scan flagged this issue. Tools like 1Pane check for DMARC as part of a broader domain health assessment. If this was flagged in a scan, it means the record is either missing or invalid.

When this becomes a problem

A missing DMARC record does not cause immediate failures, but it creates ongoing risk. The impact becomes visible when:

Someone spoofs your domain. A phishing attack using your domain can happen at any time. Without DMARC, there is nothing to prevent it and no way to detect it.
You send transactional email. If your application sends order confirmations, password resets, or invoices, DMARC protects those messages from being impersonated.
You scale email volume. Bulk senders (5,000+ messages/day) are now required to have DMARC by major providers. Without it, your deliverability drops. This is also affected by DNS resolution issues that prevent records from being found.
You use third-party senders. If services like Mailchimp, SendGrid, or HubSpot send email on your behalf, DMARC reports help you track whether they are properly authenticated.
A customer reports a phishing email. At that point you are already dealing with the consequences rather than preventing the problem.

How to fix it properly

Follow these steps to add DMARC to your domain and move toward full email spoofing protection.

Step 1: Check your SPF and DKIM records

DMARC depends on SPF and DKIM. Before adding DMARC, make sure your domain has a valid SPF record and that your email provider has enabled DKIM signing. Without these, DMARC has nothing to enforce.

Step 2: Start with a monitoring policy

Add a DMARC record with p=none so you can collect data before enforcing.

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r

The rua tag tells email providers where to send daily aggregate reports in XML format. These reports list every IP address that sent email using your domain and whether it passed SPF and DKIM.

Step 3: Review your reports

After a week or two, review the DMARC reports. Look for legitimate sending services that may not be properly configured. Common sources include:

Your email hosting provider (Google Workspace, Microsoft 365)
Marketing platforms (Mailchimp, HubSpot, SendGrid)
Transactional email services (Postmark, Amazon SES)
Helpdesk or CRM tools that send from your domain

Make sure each of these is included in your SPF record and has DKIM configured.

Step 4: Tighten your policy

Once all legitimate senders pass authentication, upgrade your policy in stages:

# Stage 1: Quarantine 10% of failing messages
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourdomain.com

# Stage 2: Quarantine all failing messages
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com

# Stage 3: Reject all failing messages (full protection)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Tip: Use the pct tag to gradually increase enforcement. Setting pct=10 applies the policy to only 10% of failing messages, so you can monitor the impact before going to 100%.

Step 5: Verify your record

After adding the record, verify it is live. DNS propagation usually takes a few minutes to a few hours. If the record is not appearing, check for DNS resolution issues that might be preventing lookups. You can check by running:

dig TXT _dmarc.yourdomain.com

Or use a 1Pane domain health scan to verify the record is detected and valid.

Common mistakes

Wrong hostname. The record must be at _dmarc.yourdomain.com, not at the root domain. Some DNS providers add the domain suffix automatically, so you only need to enter _dmarc as the host. Others require the full _dmarc.yourdomain.com. Check your provider's documentation.
Missing v=DMARC1. The record must start with v=DMARC1 exactly. Typos, extra spaces, or missing semicolons will cause email providers to ignore the entire record.
Multiple DMARC records. Your domain must have exactly one DMARC TXT record. If more than one exists, email providers may ignore all of them. Remove duplicates before adding a new one.
Jumping straight to p=reject. If you enforce rejection before verifying that all legitimate senders are authenticated, you will block your own email. Always start with p=none and review reports first.
No SPF record. DMARC checks SPF alignment. If you have no SPF record, half of DMARC's validation is missing. Set up SPF before or alongside DMARC.
Ignoring subdomains. By default, subdomains inherit the parent domain's DMARC policy. If you need different policies for subdomains, use the sp tag (e.g. sp=reject).

DMARC vs SPF vs DKIM: what is the difference

These three protocols work together to protect your domain from email spoofing. Each handles a different part of email authentication.

Protocol	What it does	Record type	Without it
SPF	Lists which servers are allowed to send email for your domain	TXT at root domain	Any server can send email as your domain
DKIM	Adds a cryptographic signature to each email so receivers can verify it was not altered	TXT at selector._domainkey	Emails can be tampered with in transit without detection
DMARC	Tells receivers what to do when SPF or DKIM fails, and sends you reports	TXT at _dmarc	No enforcement policy, no visibility into email abuse

SPF and DKIM each solve part of the problem. DMARC ties them together by adding a policy layer and reporting. For full email spoofing protection, you need all three. If your domain is also missing an SPF record, see SPF record missing.

How 1Pane detects this

When you scan a domain with 1Pane, it queries the DNS TXT records at _dmarc.yourdomain.com. If no record is found, or the record does not contain a valid DMARC policy starting with v=DMARC1, the scan flags it as a critical issue.

1Pane also checks for related problems that affect DMARC effectiveness, including missing SPF records and DNS resolution failures. Changes between scans are tracked, so you can verify that your fix has taken effect.

These domain health issues are closely related to DMARC and email authentication:

Scan your domain with 1Pane to check DMARC, SPF, DNS and SSL in one place.

Scan your domain now

No DMARC policy: what it means and how to fix it

What is DMARC

What a DMARC record looks like

Without vs with DMARC

Without DMARC

With DMARC

Why this matters

How to tell if this is your issue

When this becomes a problem

How to fix it properly

Step 1: Check your SPF and DKIM records

Step 2: Start with a monitoring policy

Step 3: Review your reports

Step 4: Tighten your policy

Step 5: Verify your record

Common mistakes

DMARC vs SPF vs DKIM: what is the difference

How 1Pane detects this

Related issues