10 Most Common Errors in DMARC Records

Our extensive study on SPF, DKIM, and DMARC across the top 1 million websites revealed that nearly 5,000 domains have invalid DMARC records. Below, we present the top 10 most common errors we encountered.

1. Multiple DMARC TXT Records

DMARC records are stored in the Domain Name System (DNS) as TXT records under a specific subdomain named _dmarc, such as _dmarc.example.com. Each domain is permitted only a single DMARC record. If a DNS query returns either “multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message.” (RFC 7489). Consequently, having multiple DMARC records at once is effectively the same as having no record at all.

In our analysis of the DNS records for the top domains, we discovered more than 3,000 instances where two or more DMARC records were present. A prominent example is abercrombie.com:

$ dig TXT _dmarc.abercrombie.com | grep \"v=DMARC1
_dmarc.abercrombie.com. 0       IN      TXT     "v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:Compliance_Reports@anfcorp.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:Compliance_Reports@anfcorp.com"
_dmarc.abercrombie.com. 0       IN      TXT     "v=DMARC1; p=none"

2. Missing or Incorrect v=DMARC1 Version Tag

A DMARC record must begin with a version tag (v=DMARC1), followed by a semicolon (;). Leading whitespace before the version tag is not permitted, and DMARC1 must be spelled exactly as shown, not in lowercase. We encountered several examples that did not adhere to these specifications, rendering them invalid:

3. Incorrect Separators

Proper separator usage within a DMARC record is critical: semicolons (;) separate tags, while commas (,) are used within rua and ruf tags to delimit addresses (e.g., rua=mailto:john@example.com,mailto:jane@example.com), and the value of an fo tag must be a list separated by commas (e.g., fo=0:d:s).

However, this distinction can lead to confusion, as seen in the following incorrect DMARC records:

4. Invalid Email Address URIs

DMARC records may contain rua and ruf tags for specifying where summaries and detailed reports on email verification results should be sent. These addresses must be complete URIs, requiring a mailto: prefix for email addresses, as in mailto:jane@example.com. Consequently, a record such as v=DMARC1; p=reject; fo=1; rua=dmarc_rua@emaildefense.proofpoint.com; ruf=dmarc_ruf@emaildefense.proofpoint.com at collinsdictionary.com is invalid due to the lack of a mailto: prefix.

Additionally, we observed numerous DMARC records mistakenly including email addresses without a rua= or ruf= prefix, such as the following from mysonicwall.com: v=DMARC1; p=reject; mailto:itops@sonicwall.com; pct=100; adkim=s; aspf=s. Other instances of clearly invalid email addresses in DMARC records include:

5. Missing p Policy Tag

A DMARC record must include two mandatory tags to be considered valid: the version tag (v=DMARC1) and the policy tag (p). Consequently, the simplest valid DMARC record is v=DMARC1;p=none. However, we discovered records at hundreds of domains only containing v=DMARC1, lacking a policy tag.

6. Duplicate Tags

While the DMARC specification does not explicitly dictate how parsers should deal with multiple instances of the same tag within a DMARC record, it’s reasonable to conclude that multiple separate tags for identical purposes can result in unpredictable outcomes and, as such, should be avoided. Consider the following examples, which include duplicate and conflicting values for p, sp, and pct tags:

Additionally, the misuse of duplicate rua and ruf tags to indicate multiple report recipient addresses was also frequently observed:

To correctly specify multiple email URIs, they should be consolidated within a single tag, separated by commas (e.g., rua=mailto:john@example.com,mailto:jane@example.com).

7. Empty Tags

While only the v (version) and p (policy) tags are mandatory in a DMARC record, any additional tags that are included must be assigned a value. Records that feature rua, ruf, or fo tags without any values are considered invalid. For example:

8. Misspelled Tag Names and Tag Values

Creating or updating DMARC records by hand can easily lead to mistakes, especially with tricky names like aspf or specific values such as quarantine. Here are some typical misspellings we came across in our study:

9. Quotes Around the DMARC Record

As we’ve established, DMARC records must begin precisely with v=DMARC1. However, we observed hundreds of records enclosed in single or double quotes, which invalidates the entire record. For instance:

10. Unexpected Characters in the Record

We encountered numerous DMARC records containing unexpected characters, particularly control characters such as tabs (ASCII character code 9), line feeds (ASCII code 10), and carriage returns (ASCII code 13). One notable example is the DMARC record for nysenate.gov:

$ dig +short TXT _dmarc.nysenate.gov
"v=DMARC1; p=none;\013 rua=mailto:dmarcreports@nysenate.gov"

Wrapping It Up

Errors in DMARC records are surprisingly easy to make, as we’ve detailed in this article. A practical way to identify and fix these issues is using our DMARC Checker. Give it a try, and don’t forget to explore our articles on the most common SPF configuration errors and DKIM record mistakes.