Introduction
Most DMARC operational issues fall into a small set of recurring errors. This article catalogs the ten you're most likely to hit, what each one means, and the fix. Bookmark this page when you're early in a rollout — you'll come back to it.
Why this topic matters
DMARC fails silently. A misconfiguration doesn't bounce mail or produce a visible alert; it just shows up as a lower pass rate in your aggregate reports. Knowing the named errors compresses diagnosis from "something is wrong" to "this specific cause; here's the fix."
The ten errors
1. "No DMARC record found"
Cause: Record not published, or published at wrong DNS name. Fix: Fix no DMARC record found covers the full diagnostic.
2. "Multiple DMARC records"
Cause: Two TXT records exist at _dmarc.yourdomain.com. Fix: Delete duplicates, keep the most recent. Receivers ignore all when multiple exist.
3. "SPF alignment failure"
Cause: SPF passes for the envelope-from domain but the From header domain is different. Common with SaaS senders. Fix: Either use custom DKIM for the sender (preferred), or move the sender behind a subdomain whose envelope-from matches its From. DMARC alignment explained.
4. "DKIM signature missing"
Cause: The sending platform isn't signing with DKIM, or is signing with the platform's own domain. Fix: Enable custom DKIM at the sending platform. Most major platforms support this; some don't, in which case isolate the sender on a subdomain.
5. "SPF too many DNS lookups"
Cause: Stacked include: references exceed RFC 7208's 10-lookup limit. Fix: SPF flattening, or restructure to reduce includes. Some senders can be moved to DKIM-only authentication, removing them from SPF entirely. SPF too many DNS lookups: how to fix it.
6. "Syntax error in DMARC record"
Cause: Typo in tag name, value, or punctuation. Common offenders: smart quotes from a word processor, missing semicolons, misspelled policy values. Fix: Re-paste the record from a known-good source. Validate with any DMARC checker.
7. "Aggregate reports not arriving"
Cause: rua= mailbox doesn't exist, is filtering reports, or has cross-domain authorization missing. Fix: Test mailbox deliverability; if cross-domain, publish _report._dmarc.yourdomain.com TXT record at the destination domain.
8. "Subdomain mail being rejected unexpectedly"
Cause: Subdomain inherits parent's p= policy via sp= default. Mail from a subdomain sender not in the parent's authentication is failing. Fix: Set sp= explicitly. For subdomains with separate senders, publish a separate DMARC record. DMARC for subdomains.
9. "Forwarded mail failing DMARC"
Cause: Forwarder rewrites the From header or breaks SPF without preserving DKIM. Fix: Identify the forwarder; if a mailing list, work with the list operator to enable DKIM passing or From-header rewriting. Most modern mailing-list software handles this correctly.
10. "Sender count higher than expected"
Cause: Tools and platforms you didn't know about are sending as your domain. Most reports surface 2-3 unexpected senders per audit. Fix: Inventory each. How to handle third-party senders during DMARC projects covers the categorization process.
Step-by-step approach to diagnosing an issue
Most diagnoses follow the same flow:
- Confirm the record exists and is unique.
dig +short TXT _dmarc.yourdomain.com - Check the most recent aggregate reports. Sender-by-sender pass rate.
- Identify the failing sender. Source IP, sender hostname.
- Diagnose the specific failure type. SPF? DKIM? Alignment? Multiple?
- Apply the named fix. Most fall into the ten above.
If a problem doesn't match any of the ten, it's usually a sender-specific configuration issue that the platform's documentation will address. Check the provider integration guides for Microsoft 365, Google Workspace, Mailchimp, SendGrid, and similar.
Best practices
- Validate every record change. A DMARC checker takes 30 seconds; debugging a broken record takes hours.
- Read aggregate reports weekly. Patterns surface earlier than incidents.
- Document the senders you've validated. A simple list saves the next audit time.
- Keep a runbook. When the engineer who set this up leaves, the next one needs to operate it.
- Use a DMARC platform. Automated alerts catch most of the ten errors before they affect operations.
Recommended next step
Pull your most recent aggregate report. Skim for any of the ten patterns above. If you find one, apply the fix. If you find none, the rollout is healthy and you can plan the next policy move.
FAQ
Will an SPF error block DMARC entirely?
No, if DKIM is configured. DMARC passes if either SPF or DKIM passes with alignment. A broken SPF is a problem to fix but not a complete block.
What's the most common cause of "low pass rate"?
Misaligned DKIM. The sender platform signs with its own domain (e.g., mailchimp.com) rather than yours. Switch to custom DKIM.
Can multiple DMARC records be merged?
Not automatically. They have to be merged manually into a single record, and only the merged record kept.
Does an SPF hard fail (-all) help?
Marginally. The -all indicates SPF's own enforcement preference, but DMARC's p= is what actually drives action. Use whichever SPF policy you prefer; DMARC's role is separate.
What if I see a sender I can't identify?
Reverse-DNS the source IP. If still unknown, check public threat intelligence (AbuseIPDB, Spamhaus). Most unknowns resolve to either a SaaS your team is using or an attacker probe.
Final thoughts
The ten errors above account for the vast majority of DMARC operational issues. Most are 5-minute fixes once diagnosed. The skill is recognizing them quickly from reports, which is the operational muscle you build over the first few weeks of a rollout.
When in doubt, the order of operations is: confirm the record, read the reports, identify the sender, diagnose the failure type, apply the named fix. That sequence resolves nearly everything.