Medium severity

How to fix a missing DMARC record

Your domain has no DMARC record. DMARC ties SPF and DKIM together and tells receiving mail servers what to do when a message fails them (allow, quarantine, or reject). Without DMARC, spoofed email gets through to inboxes even when SPF/DKIM are set. Fix it with a DNS TXT record at `_dmarc.your-domain.com`. Start with `p=none` to monitor, then upgrade to `quarantine` or `reject`.

Why it matters

Gmail and Yahoo now require DMARC for bulk senders. Without it, your transactional emails may land in spam and spoofers can still send as you. DMARC is the single most effective email security record.

How to check

  1. 01Run `dig TXT _dmarc.your-domain.com +short`.
  2. 02Look for `v=DMARC1`.
  3. 03Missing = no protection.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

DNS

Add a TXT record. Start in monitor mode, watch reports, then tighten.

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@your-domain.com; ruf=mailto:dmarc@your-domain.com; fo=1

Tightening over time

After a few weeks with no legitimate failures, move `p=none` → `p=quarantine` (spam folder) → `p=reject` (bounced).

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Add a DMARC record to my domain. Use `p=none` initially. Set `rua` and `ruf` to an email I own so I get reports. After the record is live, tell me what to look for in reports before tightening to `quarantine` or `reject`.

FAQ

Frequently asked questions

What do DMARC reports look like?
XML files emailed daily from receiving servers (Gmail, Outlook). Use a service like Valimail, Postmark DMARC Monitoring, or dmarcian to parse them.
Should I jump straight to p=reject?
Only if you know every service sending as your domain. Starting with p=none lets you catch misconfigured services before they get blocked.

Related fix guides

Fix these too

Missing SPF record

Without SPF, anyone can send email that looks like it came from your domain. Here is the one DNS record you need to stop that.

Read more

Missing DKIM record

DKIM signs your outgoing email so receivers can verify it was not tampered with. Here is how to enable it through your email provider.

Read more

Learn the concepts

Glossary

Domain-based Message Authentication, Reporting & Conformance

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. The single most important email security record.

Read more

Sender Policy Framework

SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.

Read more

DomainKeys Identified Mail

DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.

Read more

Free tools

Check this yourself

Email security checker

Can someone spoof email from your domain? Check in 10 seconds.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.