DMARCsimple

Troubleshooting

Solutions for the most common DMARC problems: records that will not verify, missing reports, legitimate mail failing alignment, third-party senders, and forwarding.

DMARC Record Not Found

If DMARCsimple cannot verify your record, work through these checks:

  • Wrong host name: the record must live at _dmarc.example.com. Some DNS editors append the domain automatically, producing _dmarc.example.com.example.com - enter just _dmarc in those interfaces.
  • Wrong record type: it must be a TXT record, not CNAME or SPF type.
  • Bad value: the value must begin with v=DMARC1 exactly. Smart quotes or a missing semicolon from a copy-paste will break parsing.
  • Multiple DMARC records: more than one TXT record at _dmarc invalidates DMARC entirely. Delete extras so exactly one remains.
  • Propagation: DNS changes can take from minutes up to 48 hours. Check with nslookup -type=txt _dmarc.example.com against a public resolver like 8.8.8.8.

Also confirm you edited DNS at the provider that actually hosts your zone - after migrations, old registrar panels are a common decoy.

Reports Not Arriving

The record verifies but the dashboard stays empty:

  • Give it time: receivers report on a daily cycle, so 24 to 48 hours of silence after publishing is normal.
  • Check the rua address: it must exactly match the reporting address DMARCsimple assigned to your domain. One wrong character sends reports into the void.
  • Low mail volume: reports are only generated by receivers that saw mail claiming to be from your domain. A domain that sends little mail produces little data.
  • External destination verification: because your reports go to the dmarcsimple.com domain rather than your own, receivers check for an authorization record on our side - DMARCsimple publishes this automatically for domains added in the dashboard, so make sure the domain in your DMARC record matches the one you added.

If the record is correct and 72 hours pass with no data on an active domain, contact support and we will trace it.

Legitimate Mail Failing Alignment

A sender you own shows SPF or DKIM passing but DMARC failing - that is an alignment problem:

  • SPF passes but does not align: the Return-Path domain differs from your From domain. Common with bounce subdomains and ESPs. Fix by configuring a custom Return-Path (bounce domain) on your domain, or rely on DKIM alignment instead.
  • DKIM passes but does not align: the signature d= domain is the vendor's, not yours. Enable custom DKIM (domain authentication) in the service so it signs as your domain.
  • Strict alignment set by accident: if your record contains aspf=s or adkim=s, subdomain senders like mail.example.com stop aligning. Remove the tags to return to relaxed mode.

Remember: DMARC needs only one of SPF or DKIM to pass with alignment. DKIM alignment is usually the easier and more durable fix.

Third-Party Senders

Marketing platforms, CRMs, helpdesks, and invoicing tools are the usual source of persistent failures:

  • Complete the domain authentication or sender verification flow in each tool - this typically gives you CNAME or TXT records to publish that enable DKIM signing with your domain
  • Add the service's include: to your SPF record if it sends from your Return-Path domain
  • Watch the 10-DNS-lookup SPF limit as includes accumulate - exceeding it makes SPF fail for everything
  • After changes, allow a day or two and confirm the source turns green in your dashboard

If a vendor cannot sign with your domain at all, weigh moving that mail stream to a subdomain you can control, or to a different provider, before tightening policy.

Forwarding and Mailing Lists

Some DMARC failures are structural rather than fixable:

  • Auto-forwarding breaks SPF: the forwarding server becomes the sending IP, which is not in your SPF record. DKIM usually survives forwarding because the signature travels with the message - one more reason DKIM matters.
  • Mailing lists can break DKIM too: lists that add footers or modify subject lines invalidate the body hash, failing both mechanisms.
  • What you will see: small volumes failing from university, ISP, or corporate servers you do not recognize - often recipients forwarding their own mail.

Expect a small, steady residue of forwarding failures forever. It is normal, affects a tiny fraction of mail, and should not stop you from reaching p=reject. Modern mailing list software rewrites the From header to avoid the problem.

Still Stuck?

If a problem persists after working through this guide:

  • Re-check the basics in Initial Setup - most issues trace back to the DNS record or a missing prerequisite
  • Use Reading Reports to isolate exactly which source and mechanism is failing
  • Hold your current policy level - never tighten p= while an unresolved failure affects legitimate mail

Our team can review your record, reports, and sender configuration directly - reach out through the support link on this page.

Related Articles

Need Help?

Contact our support team and we will dig into your configuration with you.

Contact Support