DNS / email · Check

DMARC missing — what it is, why it matters, and how to start

DMARC binds SPF/DKIM together with an alignment policy and tells mailbox providers what to do with messages that fail. Even a non-enforcing `p=none` policy with reporting (`rua=`) gives you visibility into who's sending mail in your name.

Real-world risk

Without DMARC, mailbox providers cannot align SPF/DKIM with your policy consistently; phishing using your brand is harder to block.

Fix steps (in order)

Add _dmarc.yourdomain TXT with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain (then tighten p=quarantine or p=reject).
If the site hostname is a subdomain, DMARC may live on the parent domain—verify where mail for your brand is sent from.

Topic explainer

DMARC, SPF, and DKIM explained: the email authentication trio →

A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (dns_dmarc_missing) clears once the externally-observable signal is in place.

Run a free scan Methodology