Invalid DMARC Record

Severity: Critical

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on top of SPF and DKIM. It allows domain owners to specify what should happen when an email fails both SPF and DKIM checks, and provides a way to receive reports about email authentication results.

A DMARC record is a DNS TXT record published at _dmarc.{domain} that looks like:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100

This tells receiving mail servers: "If an email claiming to be from this domain fails both SPF and DKIM, reject it. Send aggregate reports to the specified email address."

The key DMARC policies are:

• p=none — Monitor only, don't take action on failures (good for initial rollout)
• p=quarantine — Send failing emails to spam
• p=reject — Reject failing emails entirely (strongest protection)

Why this is a problem

An invalid DMARC record means the record has syntax errors, unrecognized tags, or malformed values. This can cause:

• Receiving servers to ignore the DMARC record entirely, leaving your domain unprotected
• No enforcement of your email authentication policy
• Missing authentication reports that help you monitor email abuse
• Inconsistent behavior across different mail providers

What you should do

• Ensure the record starts with v=DMARC1 (exactly)
• Verify the p= tag contains a valid policy: none, quarantine, or reject
• Check that rua= and ruf= tags (if present) contain valid mailto: URIs
• Ensure pct= (if present) is a number between 0 and 100
• Verify there is only one DMARC record at _dmarc.{yourdomain}
• Validate the record using a DMARC validation tool
• Start with p=none if you're setting up DMARC for the first time, then gradually move to quarantine and reject