Introduction
You published a DMARC record, expected things to start happening, and… nothing. No reports, no policy effect, no visible change. DMARC records fail silently — they don't produce error messages — so the troubleshooting is detective work. This article walks the seven most common causes in roughly the order you should check them.
Why this topic matters
A non-working DMARC record provides exactly zero of the value DMARC promises. Worse, you might believe you're protected when you're not — the record is published, after all. The seven causes below cover roughly 95% of real-world "my DMARC isn't working" cases. Walk them in order.
1. The record is at the wrong DNS name
DMARC records must live at _dmarc.yourdomain.com. Not yourdomain.com, not dmarc.yourdomain.com. The underscore is required.
“bash dig +short TXT _dmarc.yourdomain.com “
If this returns nothing but dig +short TXT yourdomain.com returns your DMARC string, the record is at the wrong place. Move it.
2. The record type is wrong
DMARC records must be TXT records. Some DNS providers offer a "DMARC" record type as a convenience — these usually still produce a TXT under the hood, but some misbehave. CNAME and other types don't work.
3. Multiple DMARC records published
Only one valid DMARC TXT record at _dmarc.yourdomain.com is allowed. If you have two — a leftover from an experiment, or a vendor adding one alongside yours — receivers will treat all of them as invalid and ignore them entirely.
“bash dig +short TXT _dmarc.yourdomain.com | wc -l “
If the result is more than 1, you have a problem. Delete the duplicates.
4. Syntax error in the record
A typo in tag names or values silently invalidates the record. The most common offenders:
- Missing
v=DMARC1at the start (must be first tag) p=quaranteeneor similar misspellingpct=with a non-numeric value- Missing semicolons between tags
- Smart quotes (
"like this") instead of straight quotes from a word processor
Run the record through a validator before publishing.
5. rua= destination broken
If you're getting no aggregate reports, the rua= address is the suspect. Possibilities:
- Mailbox doesn't exist
- Mailbox bounces or rejects reports (often filtered as spam)
- Cross-domain
rua=without the destination publishing the authorising_report._dmarc.yourdomain.comTXT record - Typo in the email address
Test by sending a small message to the rua= address from outside; if it bounces, fix the mailbox.
6. SPF and DKIM aren't actually publishing
DMARC depends on SPF and DKIM. If neither is configured, every message will fail DMARC — and your reports will show 100% failure across all senders.
A dig +short TXT yourdomain.com should show an SPF record. A DKIM check requires knowing your selector, but most providers default to one (google._domainkey for Google Workspace, selector1._domainkey for Microsoft 365).
7. You're testing too soon
DNS propagation takes minutes. Aggregate reports take up to 72 hours to start arriving. If you published the record an hour ago and expect immediate reports, you're early. Wait 24-48 hours before deciding the record isn't working.
Step-by-step troubleshooting approach
In order:
- Verify the record is published and unique.
dig +short TXT _dmarc.yourdomain.comreturns exactly one record. - Validate syntax. Run through any DMARC validator.
- Confirm SPF and DKIM exist. They're prerequisites; without them you can't measure anything.
- Check
rua=deliverability. Send a test email to that address from outside. - Wait 72 hours, then check reports. If still nothing, escalate to deeper diagnostics.
Common DMARC errors covers the deeper-diagnostic side.
Best practices
- Use a DMARC checker right after publishing. Catches syntax errors and DNS-name mistakes in seconds.
- Don't iterate on production. If you're experimenting, use a low-TTL subdomain first.
- Document the record. Future-you needs to know why each tag is set the way it is.
- Monitor for unexpected changes. A DNS provider's automated cleanup can occasionally delete records. Set a periodic check.
- Keep TTL low during rollouts. 300-3600 seconds. Raise it once stable.
Recommended next step
Run through the seven causes in order on your domain right now. The fix is usually obvious once the cause is identified. If you've worked through all seven and still see no activity, the next stop is how to fix "no DMARC record found" — which covers the case where the record genuinely isn't being seen by anyone.
FAQ
Why does dig show no record when I just published one?
DNS propagation. Wait a few minutes, retry. If the TTL on your DNS provider is high (24 hours), it can take a while.
Can a wrong TTL break DMARC?
TTL doesn't break DMARC, but it slows down iteration. A high TTL means changes to your record take longer to take effect. Keep TTL low while you're iterating.
My validator says the record is fine but I get no reports. What now?
Almost certainly the rua= mailbox issue. Test deliverability to that address.
Can a DMARC record be too long for DNS?
TXT records can hold up to 255 characters per string. A long DMARC record can be split across multiple quoted strings within a single TXT record — most DNS providers handle this automatically.
Will a non-working DMARC record affect mail flow?
No. An invalid or non-existent DMARC record means receivers default to no DMARC action, which is the same as having no record. The risk is silent — you think you're protected when you're not.
Final thoughts
DMARC's silent-failure mode is what makes it tricky for first-time implementers. Receivers don't tell you the record is broken; they just ignore it. The seven causes above are virtually all there is — once you've ruled them out, the record is almost certainly working and the question is whether the data is being interpreted correctly.
A 10-minute checklist run-through after every change catches most issues before they become a "nothing's happening" mystery.