10 Most Common Errors in DMARC Records
Our extensive study on SPF, DKIM, and DMARC across the top 1 million websites revealed that nearly 5,000 domains have invalid DMARC records. Below, we present the top 10 most common errors we encountered.
1. Multiple DMARC TXT Records
DMARC records are stored in the Domain Name System (DNS) as TXT records under a specific subdomain named _dmarc, such as _dmarc.example.com. Each domain is permitted only a single DMARC record. If a DNS query returns either “multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message.” (RFC 7489). Consequently, having multiple DMARC records at once is effectively the same as having no record at all.
In our analysis of the DNS records for the top domains, we discovered more than 3,000 instances where two or more DMARC records were present. A prominent example is abercrombie.com:
$ dig TXT _dmarc.abercrombie.com | grep \"v=DMARC1 _dmarc.abercrombie.com. 0 IN TXT "v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:Compliance_Reports@anfcorp.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:Compliance_Reports@anfcorp.com" _dmarc.abercrombie.com. 0 IN TXT "v=DMARC1; p=none"
2. Missing or Incorrect v=DMARC1
Version Tag
A DMARC record must begin with a version tag (v=DMARC1
), followed by a semicolon (;
). Leading whitespace before the version tag is not permitted, and DMARC1
must be spelled exactly as shown, not in lowercase. We encountered several examples that did not adhere to these specifications, rendering them invalid:
v=dmarc1;p=none;
(outkick.com)v=DMARC1; p=none; pct=100; fo=1; ri=3600; rua=mailto:5280d7eb@inbox.ondmarc.com; ruf=mailto:5280d7eb@inbox.ondmarc.com;
(nic.io)v=DMARC; p=none; pct=100; rua=mailto:dmarcreports@parhasard.net
(xemacs.org)v=DMARCl; p=reject; rua=mailto:abuse@corp.sputnik.ru; sp- reject; aspf-s; adkim=s; ri=604800
(sputnik.ru)p=reject;rua=mailto:rua@lseg.com;ruf=mailto:ruf@lseg.com;aspf=s;adkim=s;fo=1
(loanconnector.com)
3. Incorrect Separators
Proper separator usage within a DMARC record is critical: semicolons (;
) separate tags, while commas (,
) are used within rua
and ruf
tags to delimit addresses (e.g., rua=mailto:john@example.com,mailto:jane@example.com
), and the value of an fo
tag must be a list separated by commas (e.g., fo=0:d:s
).
However, this distinction can lead to confusion, as seen in the following incorrect DMARC records:
v=DMARC1; p=reject; sp=reject; adkim=r, aspf=r, pct=100;
(bonkerscorner.com): Commas (,
) afterapsf
andpct
tags instead of semicolons (;
)v=DMARC1; p=none; rua=mailto:noc@changeip.cc ruf=mailto:noc@changiep.cc; fo=1
(changeip.com): Missing;
between therua
andruf
tagsv=DMARC1; p=none; rua=mailto:dns@aiuniv.edu;mailto:j1PbcZAeNO@dmarc.inboxmonster.com;
(coloradotech.edu): Email addresses separated with;
instead of,
4. Invalid Email Address URIs
DMARC records may contain rua
and ruf
tags for specifying where summaries and detailed reports on email verification results should be sent. These addresses must be complete URIs, requiring a mailto:
prefix for email addresses, as in mailto:jane@example.com
. Consequently, a record such as v=DMARC1; p=reject; fo=1; rua=dmarc_rua@emaildefense.proofpoint.com; ruf=dmarc_ruf@emaildefense.proofpoint.com
at collinsdictionary.com is invalid due to the lack of a mailto:
prefix.
Additionally, we observed numerous DMARC records mistakenly including email addresses without a rua=
or ruf=
prefix, such as the following from mysonicwall.com: v=DMARC1; p=reject; mailto:itops@sonicwall.com; pct=100; adkim=s; aspf=s
. Other instances of clearly invalid email addresses in DMARC records include:
v=DMARC1;p=none ;rua=mailto:
(kfc.co.jp);ruf=mailto: v=DMARC1; p=reject; rua=mailto:d.agari.com; ruf=mailto:d.agari.com;
(icloud-content.com)v=DMARC1; p=none; rua=mailto:dmarc-reports@
(oxiapps.com)v=DMARC1; p=none; rua=mailto:none; ruf=mailto:none; fo=1
(petpoisonhelpline.com)
5. Missing p
Policy Tag
A DMARC record must include two mandatory tags to be considered valid: the version tag (v=DMARC1
) and the policy tag (p
). Consequently, the simplest valid DMARC record is v=DMARC1;p=none
. However, we discovered records at hundreds of domains only containing v=DMARC1
, lacking a policy tag.
6. Duplicate Tags
While the DMARC specification does not explicitly dictate how parsers should deal with multiple instances of the same tag within a DMARC record, it’s reasonable to conclude that multiple separate tags for identical purposes can result in unpredictable outcomes and, as such, should be avoided. Consider the following examples, which include duplicate and conflicting values for p
, sp
, and pct
tags:
v=DMARC1; p=none; p=quarantine; rua=mailto:dmarc-reports@toriihq.com,mailto:8ob53p4w@ag.dmarcian.com
(toriihq.com)v=DMARC1; p=quarantine; sp=quarantine; pct=100; sp=none; rua=mailto:squad.informatique@pathe.fr
(pathe.fr)v=DMARC1; p=quarantine; pct=5; rua=mailto:robot@keenetic.cloud; pct=90; sp=none
(keenetic.cloud)
Additionally, the misuse of duplicate rua
and ruf
tags to indicate multiple report recipient addresses was also frequently observed:
v=DMARC1;p=none;pct=100;rua=mailto:mailadmin@perpay.com;rua=mailto:re+oldibvzoxux@dmarc.postmarkapp.com;
(perpay.com)v=DMARC1; p=quarantine; ruf=mailto:devops.alerts@foodhub.com; rua=mailto:noreply@foodhub.co.uk; ruf=mailto:noreply@foodhub.co.uk; fo=1
(foodhub.co.uk)
To correctly specify multiple email URIs, they should be consolidated within a single tag, separated by commas (e.g., rua=mailto:john@example.com,mailto:jane@example.com
).
7. Empty Tags
While only the v
(version) and p
(policy) tags are mandatory in a DMARC record, any additional tags that are included must be assigned a value. Records that feature rua
, ruf
, or fo
tags without any values are considered invalid. For example:
v=DMARC1; p=none; rua=; ruf=; sp=none; ri=86400
(parklogic.com)v=DMARC1; p=none; sp=none; fo=; ri=3600
(pinsightmedia.com)
8. Misspelled Tag Names and Tag Values
Creating or updating DMARC records by hand can easily lead to mistakes, especially with tricky names like aspf
or specific values such as quarantine
. Here are some typical misspellings we came across in our study:
v=DMARC1; p=none; sp=none; adkim=r; spf=r; pct=100; ruf=mailto:dmarc@patchman.co; rua=mailto:dmarc@patchman.co;
(patchman.co):spf=
instead ofaspf=
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:fmoreno@europa3.com; ptc=100
(europa3.com):ptc=
instead ofpct=
v=DMARC1; p=reject; ps=reject; pct=100; ri=86400; rua=mailto:spam@ludwig.guru
(ludwig.guru):ps=
instead ofsp=
v=DMARC1; p=quarentine; rua=mailto:seguranca@gupy.com.br;
(gupy.io):quarentine
instead ofquarantine
9. Quotes Around the DMARC Record
As we’ve established, DMARC records must begin precisely with v=DMARC1
. However, we observed hundreds of records enclosed in single or double quotes, which invalidates the entire record. For instance:
"v=DMARC1; p=reject;"
(cloud.us)'v=DMARC1; p=reject;'
(finland.fi)
10. Unexpected Characters in the Record
We encountered numerous DMARC records containing unexpected characters, particularly control characters such as tabs (ASCII character code 9), line feeds (ASCII code 10), and carriage returns (ASCII code 13). One notable example is the DMARC record for nysenate.gov:
$ dig +short TXT _dmarc.nysenate.gov "v=DMARC1; p=none;\013 rua=mailto:dmarcreports@nysenate.gov"
Wrapping It Up
Errors in DMARC records are surprisingly easy to make, as we’ve detailed in this article. A practical way to identify and fix these issues is using our DMARC Checker. Give it a try, and don’t forget to explore our articles on the most common SPF configuration errors and DKIM record mistakes.