dmarc-missing
DMARC record missing
DMARC is the rule book that tells receiving mail servers what to do when an email pretending to come from your domain fails its checks. Without it, even a perfect SPF setup leaks past many providers.
What this means in plain English
DMARC is the third piece of the email-protection trio (alongside SPF and DKIM). It does two jobs at once:
- It tells receiving mail servers what to do when an email pretending to be from your domain doesn’t check out — deliver it, put it in spam, or reject it outright.
- It gets you reports from those mail servers about every attempt, real or fake, to send mail using your domain.
Without DMARC, the elaborate setup we built with SPF (see the SPF article) only protects against servers that choose to enforce SPF strictly. Many smaller mail providers and most free webmail services don’t — they just deliver suspicious mail and let the user decide. DMARC closes that gap by publishing your own decision: “if it fails, don’t deliver”.
Why it matters to your business
A DMARC record set to “reject” effectively shuts down most spoofing attacks against your domain at every major mailbox provider — Gmail, Outlook, Apple Mail, Yahoo, GMX, web.de. That alone is a meaningful defence against the invoice-fraud, fake-CEO, and phishing-against- customers patterns described in our SPF article.
DMARC also unlocks two practical benefits:
- Visibility. You start getting daily reports listing every IP address that sent mail claiming to be your domain. That tells you about legitimate senders you’d forgotten (the abandoned newsletter tool, the printer that sends scans, the internal HR system) and about scammers actively trying to abuse you.
- Deliverability. Since 2024, Google and Yahoo require at least a basic DMARC record from any sender that mails their users in volume. Without it, your bulk mail gets rejected at the door.
How to fix it
Don’t jump straight to “reject”. DMARC has a sensible three-stage rollout that takes roughly four to six weeks. Your domain administrator or hosting provider can do this:
Stage 1: Watching mode (week 0)
Add a small text record to your DNS that says, in effect, “treat my mail as before, but send me reports”. The technical line:
v=DMARC1; p=none; rua=mailto:dmarc-reports@your-domain.example;
Set up an inbox or a dedicated reporting service (Postmark, dmarcian, EasyDMARC, URIports — most have free tiers) at the address you put in the record.
Stage 2: Soft enforcement (week 2-3)
Once the reports show that your real mail passes the checks, ramp up:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@your-domain.example;
This puts 25% of failing mail into spam folders. Watch the reports for a couple more weeks, then go to 100%.
Stage 3: Strict enforcement (week 4-6)
The final state — every receiving server rejects mail that fails the checks:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@your-domain.example;
A note on subdomains
DMARC is inherited automatically. A record on your-domain.example
also covers shop.your-domain.example and
marketing.your-domain.example. You only need a separate DMARC entry
on a subdomain if you want a different policy there. The blueredix
scanner accounts for this — it checks the parent domain before
flagging a subdomain as missing one.
Further reading
- MXToolbox DMARC check — instant free verification of your published record.
- Google sender requirements (2024) — the rules Google enforces on bulk senders.
- BSI guidance on email authentication — practical guidance from the German federal cybersecurity agency.
- RFC 7489 — DMARC specification — the formal protocol document.