Resolving "DMARC Policy Not Found" Errors
Fix DMARC policy not found by adding a valid _dmarc TXT record, checking SPF/DKIM alignment and starting with a safe monitoring policy.
Introduction
A "DMARC Policy Not Found" error means receiving mail servers looked for a DMARC record at _dmarc.yourdomain.com and did not find a valid one. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers how to handle messages that fail SPF or DKIM checks and where to send authentication reports.
This error is common on domains that have SPF and DKIM configured but never added DMARC, or where the record was published at the wrong hostname (for example dmarc.example.com instead of _dmarc.example.com). Adding a starter DMARC record is straightforward and is an important step toward protecting your domain from spoofing.
Quick answer
DMARC policy not found means no valid TXT record exists at _dmarc.yourdomain.com. Add a starter record such as v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com, confirm SPF and DKIM pass for legitimate mail, monitor aggregate reports, then gradually tighten policy. Do not jump straight to p=reject.
What DMARC policy not found means
DMARC is published as a TXT record at a specific subdomain: _dmarc followed by your domain. Receivers query _dmarc.example.com, not example.com directly. If the record is missing, malformed or published at the wrong name, they report "policy not found" or treat the domain as having no DMARC policy.
Common causes:
- no DMARC TXT record has ever been created
- the record was added at the wrong hostname (missing underscore or wrong subdomain)
- a typo in the record value (for example v=DMARC instead of v=DMARC1)
- DNS changes have not propagated yet
- the record was accidentally deleted during a DNS migration
- a CNAME conflict exists on the _dmarc hostname
- the domain uses a DNS provider that requires a specific record format
- subdomains send mail but no sp= tag or subdomain policy exists
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
This starter record tells receivers to take no action on failures (p=none) while sending daily aggregate reports to dmarc@example.com. It does not block mail — it gives you visibility while you confirm SPF and DKIM are working correctly.
Create the dmarc@example.com mailbox (or use an address you already monitor) before publishing rua. Some providers also require confirming the reporting address.
Do not jump to p=reject before reviewing DMARC reports. Strict enforcement without stable SPF and DKIM can cause legitimate mail to be rejected.
Why this matters
Without DMARC, you have no published policy for how receivers should treat authentication failures and no aggregate reports to detect spoofing or misconfiguration. Adding DMARC improves visibility, reduces spoofing risk and is increasingly expected by major email providers.
DMARC also connects SPF and DKIM to the visible From address through alignment. Even when SPF and DKIM pass individually, DMARC may fail if the authenticated domains do not align with the From domain.
How to check
Confirm whether a DMARC record exists at the correct hostname and whether SPF and DKIM are ready to support it.
- Run DMARC Checker on your domain to see whether _dmarc.yourdomain.com returns a record.
- Check DNS directly: look for a TXT record at _dmarc (with the underscore prefix).
- Confirm the record starts with v=DMARC1 and includes a policy tag (p=).
- Verify the rua reporting address is a mailbox you can access.
- Run SPF Checker and DKIM Checker to confirm underlying authentication works.
- Send a test email and review Authentication-Results for dmarc= pass or fail.
- Check for typos in the hostname — dmarc.example.com is not the same as _dmarc.example.com.
- Review whether subdomains send mail independently and need sp= or separate records.
- After publishing, wait for DNS propagation and re-run DMARC Checker.
- Monitor incoming aggregate reports for unexpected failing sources.
Check your DMARC record
Use DMARC Checker to confirm whether a policy record exists at _dmarc.yourdomain.com and review tags such as p, rua and alignment.
Common problems
No DMARC record published
HighThe domain has no TXT record at _dmarc.yourdomain.com.
Next step: Add a starter DMARC record with p=none and an rua reporting address.
Record at wrong hostname
HighDMARC was published at dmarc.example.com or example.com instead of _dmarc.example.com.
Next step: Delete the misplaced record and publish TXT at _dmarc.yourdomain.com.
Missing underscore in hostname
HighThe DNS name was entered as dmarc.example.com without the required leading underscore.
Next step: Create the record with the exact name _dmarc (underscore + dmarc).
Invalid record syntax
MediumThe TXT value has typos, missing semicolons or an incorrect version tag.
Next step: Use v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com as a starting template.
No rua reporting address
LowThe record exists but has no rua tag, so you receive no aggregate reports.
Next step: Add rua=mailto:dmarc@yourdomain.com to collect daily reports.
p=reject set too early
HighStrict reject policy is active before SPF and DKIM are stable for all senders.
Next step: Lower to p=none, fix authentication failures shown in reports, then tighten gradually.
SPF or DKIM not configured
HighDMARC exists but legitimate mail fails authentication, causing poor outcomes under enforcement.
Next step: Fix SPF and DKIM first, then monitor DMARC reports before enforcing.
DMARC alignment failures
MediumSPF or DKIM pass but the authenticated domain does not align with the From domain.
Next step: Configure Return-Path and DKIM signing domain to align with your From address.
DNS not propagated
LowThe record was added recently but resolvers still return no result.
Next step: Wait for TTL to expire and re-run DMARC Checker from multiple locations.
Subdomains send without policy
MediumMail from subdomains is not covered by the organizational domain policy.
Next step: Add sp= tag to the root DMARC record or publish _dmarc records on sending subdomains.
How to fix
-
Step 1: Confirm SPF and DKIM pass
Run SPF Checker and DKIM Checker. Fix underlying authentication before or alongside adding DMARC.
-
Step 2: Create the reporting mailbox
Set up dmarc@yourdomain.com or another address you monitor for aggregate reports.
-
Step 3: Add the DMARC TXT record
Publish at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.
-
Step 4: Verify with DMARC Checker
Confirm the record is live, syntax is valid and tags are parsed correctly.
-
Step 5: Send test mail
Send a message from each legitimate source and check headers for dmarc=pass.
-
Step 6: Monitor aggregate reports
Review daily rua reports for failing sources, unknown senders and alignment issues.
-
Step 7: Fix failures found in reports
Update SPF includes, DKIM selectors and Return-Path settings for any failing services.
-
Step 8: Tighten policy gradually
Move from p=none to p=quarantine, then p=reject only after reports show consistent passes. Do not skip monitoring.
Examples
Problem:
dmarc=fail (policy not found)
DNS check:
dig _dmarc.example.com TXT → no result
dig dmarc.example.com TXT → no result
Cause:
No DMARC record was ever published.
SPF and DKIM are configured but DMARC is missing.
Fix:
Add TXT record:
Host: _dmarc.example.com
Value: v=DMARC1; p=none; rua=mailto:dmarc@example.com
Verify:
Run DMARC Checker → record found, p=none.
Send test → headers show dmarc=pass.
Next:
Monitor rua reports for 2–4 weeks.
Fix any failing sources.
Then consider p=quarantine — not p=reject yet.
Do not jump to p=reject before reviewing DMARC aggregate reports. Enforcement without stable SPF and DKIM can block legitimate mail from CRMs, newsletters and third-party tools.
Frequently asked questions
What does "DMARC policy not found" mean?
No valid DMARC TXT record exists at _dmarc.yourdomain.com. Receiving servers have no published policy or reporting instructions for your domain.
Where do I publish a DMARC record?
Create a TXT record at _dmarc.yourdomain.com (note the underscore prefix). The value starts with v=DMARC1.
Can I start with p=reject?
You can, but it is risky before SPF and DKIM are stable. Start with p=none to monitor reports, then move to quarantine or reject gradually.
Do I need DMARC if SPF and DKIM already pass?
Yes. DMARC provides policy control, alignment checks and reporting. SPF and DKIM alone do not tell receivers what to do when authentication fails.
How long until DMARC is detected?
DNS propagation is usually minutes to a few hours. Re-run DMARC Checker after TTL expires to confirm the record is live.
What is the rua tag?
rua specifies where aggregate DMARC reports are sent. Use rua=mailto:dmarc@yourdomain.com with a mailbox you monitor.
Does DMARC fix deliverability by itself?
No. DMARC reports on authentication results. You still need correct SPF and DKIM for legitimate mail to pass.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!