Troubleshooting Guides

Resolving "DMARC Policy Not Found" Errors

Fix DMARC policy not found by adding a valid _dmarc TXT record, checking SPF/DKIM alignment and starting with a safe monitoring policy.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

A "DMARC Policy Not Found" error means receiving mail servers looked for a DMARC record at _dmarc.yourdomain.com and did not find a valid one. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers how to handle messages that fail SPF or DKIM checks and where to send authentication reports.

This error is common on domains that have SPF and DKIM configured but never added DMARC, or where the record was published at the wrong hostname (for example dmarc.example.com instead of _dmarc.example.com). Adding a starter DMARC record is straightforward and is an important step toward protecting your domain from spoofing.

Quick answer

Quick answer

DMARC policy not found means no valid TXT record exists at _dmarc.yourdomain.com. Add a starter record such as v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com, confirm SPF and DKIM pass for legitimate mail, monitor aggregate reports, then gradually tighten policy. Do not jump straight to p=reject.

What DMARC policy not found means

DMARC is published as a TXT record at a specific subdomain: _dmarc followed by your domain. Receivers query _dmarc.example.com, not example.com directly. If the record is missing, malformed or published at the wrong name, they report "policy not found" or treat the domain as having no DMARC policy.

Common causes:

  • no DMARC TXT record has ever been created
  • the record was added at the wrong hostname (missing underscore or wrong subdomain)
  • a typo in the record value (for example v=DMARC instead of v=DMARC1)
  • DNS changes have not propagated yet
  • the record was accidentally deleted during a DNS migration
  • a CNAME conflict exists on the _dmarc hostname
  • the domain uses a DNS provider that requires a specific record format
  • subdomains send mail but no sp= tag or subdomain policy exists
Starter DMARC record
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

This starter record tells receivers to take no action on failures (p=none) while sending daily aggregate reports to dmarc@example.com. It does not block mail — it gives you visibility while you confirm SPF and DKIM are working correctly.

Create the dmarc@example.com mailbox (or use an address you already monitor) before publishing rua. Some providers also require confirming the reporting address.

Do not jump to p=reject before reviewing DMARC reports. Strict enforcement without stable SPF and DKIM can cause legitimate mail to be rejected.

Why this matters

Why this matters

Without DMARC, you have no published policy for how receivers should treat authentication failures and no aggregate reports to detect spoofing or misconfiguration. Adding DMARC improves visibility, reduces spoofing risk and is increasingly expected by major email providers.

DMARC also connects SPF and DKIM to the visible From address through alignment. Even when SPF and DKIM pass individually, DMARC may fail if the authenticated domains do not align with the From domain.

How to check

Confirm whether a DMARC record exists at the correct hostname and whether SPF and DKIM are ready to support it.

  1. Run DMARC Checker on your domain to see whether _dmarc.yourdomain.com returns a record.
  2. Check DNS directly: look for a TXT record at _dmarc (with the underscore prefix).
  3. Confirm the record starts with v=DMARC1 and includes a policy tag (p=).
  4. Verify the rua reporting address is a mailbox you can access.
  5. Run SPF Checker and DKIM Checker to confirm underlying authentication works.
  6. Send a test email and review Authentication-Results for dmarc= pass or fail.
  7. Check for typos in the hostname — dmarc.example.com is not the same as _dmarc.example.com.
  8. Review whether subdomains send mail independently and need sp= or separate records.
  9. After publishing, wait for DNS propagation and re-run DMARC Checker.
  10. Monitor incoming aggregate reports for unexpected failing sources.

Check your DMARC record

Use DMARC Checker to confirm whether a policy record exists at _dmarc.yourdomain.com and review tags such as p, rua and alignment.

Run DMARC Check →

Common problems

No DMARC record published

High

The domain has no TXT record at _dmarc.yourdomain.com.

Next step: Add a starter DMARC record with p=none and an rua reporting address.

Record at wrong hostname

High

DMARC was published at dmarc.example.com or example.com instead of _dmarc.example.com.

Next step: Delete the misplaced record and publish TXT at _dmarc.yourdomain.com.

Missing underscore in hostname

High

The DNS name was entered as dmarc.example.com without the required leading underscore.

Next step: Create the record with the exact name _dmarc (underscore + dmarc).

Invalid record syntax

Medium

The TXT value has typos, missing semicolons or an incorrect version tag.

Next step: Use v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com as a starting template.

No rua reporting address

Low

The record exists but has no rua tag, so you receive no aggregate reports.

Next step: Add rua=mailto:dmarc@yourdomain.com to collect daily reports.

p=reject set too early

High

Strict reject policy is active before SPF and DKIM are stable for all senders.

Next step: Lower to p=none, fix authentication failures shown in reports, then tighten gradually.

SPF or DKIM not configured

High

DMARC exists but legitimate mail fails authentication, causing poor outcomes under enforcement.

Next step: Fix SPF and DKIM first, then monitor DMARC reports before enforcing.

DMARC alignment failures

Medium

SPF or DKIM pass but the authenticated domain does not align with the From domain.

Next step: Configure Return-Path and DKIM signing domain to align with your From address.

DNS not propagated

Low

The record was added recently but resolvers still return no result.

Next step: Wait for TTL to expire and re-run DMARC Checker from multiple locations.

Subdomains send without policy

Medium

Mail from subdomains is not covered by the organizational domain policy.

Next step: Add sp= tag to the root DMARC record or publish _dmarc records on sending subdomains.

How to fix

  1. Step 1: Confirm SPF and DKIM pass

    Run SPF Checker and DKIM Checker. Fix underlying authentication before or alongside adding DMARC.

  2. Step 2: Create the reporting mailbox

    Set up dmarc@yourdomain.com or another address you monitor for aggregate reports.

  3. Step 3: Add the DMARC TXT record

    Publish at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.

  4. Step 4: Verify with DMARC Checker

    Confirm the record is live, syntax is valid and tags are parsed correctly.

  5. Step 5: Send test mail

    Send a message from each legitimate source and check headers for dmarc=pass.

  6. Step 6: Monitor aggregate reports

    Review daily rua reports for failing sources, unknown senders and alignment issues.

  7. Step 7: Fix failures found in reports

    Update SPF includes, DKIM selectors and Return-Path settings for any failing services.

  8. Step 8: Tighten policy gradually

    Move from p=none to p=quarantine, then p=reject only after reports show consistent passes. Do not skip monitoring.

Examples

DMARC policy not found troubleshooting example
Problem:
dmarc=fail (policy not found)

DNS check:
dig _dmarc.example.com TXT  no result
dig dmarc.example.com TXT  no result

Cause:
No DMARC record was ever published.
SPF and DKIM are configured but DMARC is missing.

Fix:
Add TXT record:
Host: _dmarc.example.com
Value: v=DMARC1; p=none; rua=mailto:dmarc@example.com

Verify:
Run DMARC Checker  record found, p=none.
Send test  headers show dmarc=pass.

Next:
Monitor rua reports for 2–4 weeks.
Fix any failing sources.
Then consider p=quarantine — not p=reject yet.

Do not jump to p=reject before reviewing DMARC aggregate reports. Enforcement without stable SPF and DKIM can block legitimate mail from CRMs, newsletters and third-party tools.

Frequently asked questions

What does "DMARC policy not found" mean?

No valid DMARC TXT record exists at _dmarc.yourdomain.com. Receiving servers have no published policy or reporting instructions for your domain.

Where do I publish a DMARC record?

Create a TXT record at _dmarc.yourdomain.com (note the underscore prefix). The value starts with v=DMARC1.

Can I start with p=reject?

You can, but it is risky before SPF and DKIM are stable. Start with p=none to monitor reports, then move to quarantine or reject gradually.

Do I need DMARC if SPF and DKIM already pass?

Yes. DMARC provides policy control, alignment checks and reporting. SPF and DKIM alone do not tell receivers what to do when authentication fails.

How long until DMARC is detected?

DNS propagation is usually minutes to a few hours. Re-run DMARC Checker after TTL expires to confirm the record is live.

What is the rua tag?

rua specifies where aggregate DMARC reports are sent. Use rua=mailto:dmarc@yourdomain.com with a mailbox you monitor.

Does DMARC fix deliverability by itself?

No. DMARC reports on authentication results. You still need correct SPF and DKIM for legitimate mail to pass.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.