DMARC (Domain-based Message Authentication, Reporting & Conformance) tells inbox providers what to do when emails fail authentication checks. This article explains what a DMARC record is, how to find the one SendX provides, and how to add it to your DNS.
When you'll need this
Read this article if you're authenticating a domain in SendX and don't have an existing DMARC record, you want to understand what DMARC does before adding it, inbox providers are rejecting your emails due to missing DMARC, or you need to comply with Gmail and Yahoo's authentication requirements.
What DMARC does
DMARC builds on SPF and DKIM to give you control over what happens when authentication fails. When an inbox provider receives an email claiming to be from your domain, it:
Checks if the email passes SPF and/or DKIM
Looks up your DMARC record to see your policy
Follows your instructions: deliver, quarantine, or reject
Without DMARC, inbox providers make their own decisions about unauthenticated emails. With DMARC, you're in control.
DMARC also enables reporting. Inbox providers can send you reports showing who's sending email using your domain, helping you identify unauthorized senders or configuration problems.
What the SendX DMARC record looks like
SendX provides a simple DMARC record with a monitoring-only policy:
Host/Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none;
This is a safe starting point that tells inbox providers to deliver emails normally while you monitor authentication results.
Do you already have a DMARC record?
Before adding a new DMARC record, check if you already have one. You can only have one DMARC record per domain.
Check using MXToolbox:
Enter your domain
If a record appears, you already have DMARC configured
Check using your DNS provider:
Log in to your DNS provider
Look for a TXT record with the host
_dmarcIf it exists, you already have DMARC
If you already have a DMARC record, skip adding a new one. SendX will detect and work with your existing policy. Just make sure your other records (sp-dkim._domainkey, sp-bounce, sp-track) are added.
Finding the DMARC record in SendX
After adding your domain in SendX, you'll see four DNS records displayed. The DMARC record is the last one listed.
Click the copy icon next to the _dmarc record to copy it to your clipboard.
The record includes two parts:
Record Name: _dmarc (this goes in the Host or Name field)
Value: v=DMARC1; p=none;
Adding the DMARC record to your DNS
The exact steps depend on your DNS provider. Here's the general process:
Step 1: Log in to your DNS provider
Go to your domain registrar or DNS host (GoDaddy, Cloudflare, Namecheap, etc.) and log in.
Step 2: Find DNS management
Look for "DNS Settings," "DNS Management," "DNS Records," or similar. This is usually under domain settings.
Step 3: Add a new TXT record
Click "Add Record" or "Create Record" and select TXT as the record type.
Step 4: Enter the record details
Host/Name field:
Enter the host value from SendX. Depending on your provider, you may need to enter:
Just
_dmarc(most providers automatically append your domain)_dmarc.yourdomain.com(some providers require the full domain)_dmarc.yourdomain.com.(with trailing dot for some providers)
Value/Content field:
Paste the value: v=DMARC1; p=none;
TTL (Time to Live):
Use the default, or set to 3600 (1 hour) if required.
Step 5: Save the record
Click Save, Add, or Create to save your new record.
Understanding DMARC policies
The p= tag in your DMARC record tells inbox providers what to do with emails that fail authentication. SendX provides a p=none policy by default, which is the safest starting point.
Policy | What happens | When to use |
p=none | Emails are delivered normally. You receive reports only. | Start here. Monitor before enforcing. |
p=quarantine | Failed emails go to spam folder. | After confirming all legitimate senders pass authentication. |
p=reject | Failed emails are blocked entirely. | Maximum protection, but only after thorough testing. |
Starting with p=none is recommended. This lets you see who's sending email as your domain without risking delivery problems. Once you've verified all your legitimate email sources pass authentication, you can move to stricter policies.
Verifying your DMARC record
After adding the record, return to SendX and verify it's working.
Click the three-dot menu next to your domain and select "Recheck Status."
If DMARC shows as verified, you're done.
What if DMARC shows "failed" but other records are verified?
This is normal if you already have a DMARC record on your domain. SendX detects your existing policy and shows a message indicating your current DMARC configuration.
This isn't a problem. As long as the other records (sp-dkim._domainkey, sp-bounce, sp-track) are verified and you have a DMARC record (either yours or the one from SendX), your emails will authenticate properly.
DMARC reporting
DMARC reports help you understand who's sending email using your domain. There are two types:
Aggregate reports (rua)
Daily summaries showing:
How many emails were sent using your domain
Which IP addresses sent them
Whether they passed or failed authentication
What actions inbox providers took
Forensic reports (ruf)
Real-time reports for individual failed emails. These contain more detail but aren't supported by all inbox providers.
To receive reports, your DMARC record needs a rua= tag with an email address. For example:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
The SendX default record (v=DMARC1; p=none;) doesn't include reporting. If you want to receive DMARC reports, you can modify the record or use a dedicated DMARC monitoring service.
The reports are XML files that can be difficult to read directly. Consider using a DMARC reporting service like DMARC Analyzer, Valimail, or EasyDMARC to parse and visualize them.
Common DMARC mistakes
Adding a second DMARC record
You can only have one DMARC record per domain. If you already have one, don't add another. Having two DMARC records can cause authentication to fail entirely.
Using the wrong host name
The host must be _dmarc (with the underscore). Common mistakes include forgetting the underscore or using dmarc without it.
Starting with p=reject
Jumping straight to a reject policy can block legitimate emails if any of your sending services aren't properly authenticated. Always start with p=none and monitor before enforcing.
Forgetting subdomains
By default, DMARC policies apply to the root domain and subdomains. If you want different handling for subdomains, use the sp= tag. For example: v=DMARC1; p=reject; sp=none applies reject to the root domain but none to subdomains.
Checking your DMARC record externally
You can verify your DMARC record is publicly visible using free online tools:
MXToolbox DMARC Lookup
Enter your domain to see your current DMARC policy.
DMARC Analyzer
Validates your DMARC record syntax and explains each tag.
Google Admin Toolbox
Checks multiple DNS records including DMARC.
Troubleshooting
DMARC not verifying after 48 hours
Use an external tool (MXToolbox) to check if the record is publicly visible
Verify the host is exactly
_dmarc(with underscore)Check that you only have one DMARC record
Confirm the value starts with
v=DMARC1
"Multiple DMARC records found" error
You have more than one DMARC record. Remove the duplicate. Check both the root domain and any subdomains.
Reports not arriving
Verify the
rua=tag has the correct email addressCheck your spam folder
Wait 24-48 hours (aggregate reports are sent daily)
Make sure the email address can receive external mail
Emails still going to spam despite DMARC
DMARC alone doesn't guarantee inbox placement. It's one factor among many. Also check:
Your other SendX records are verified (sp-dkim._domainkey, sp-bounce, sp-track)
Your sending reputation is healthy
Your content isn't triggering spam filters
You're following inbox provider guidelines
Common questions
Do I need DMARC if I already have DKIM?
Yes. Gmail, Yahoo, and other major inbox providers now require DMARC for bulk senders. Even if your emails pass DKIM, you need a DMARC record to meet current authentication requirements.
What policy should I use?
Start with p=none. This lets you receive reports without affecting delivery. After monitoring for a few weeks and confirming all legitimate senders pass authentication, consider moving to p=quarantine and eventually p=reject.
Will DMARC affect my other email services?
DMARC applies to all email sent using your domain. Make sure all services (marketing tools, CRM, transactional email, corporate email) are properly authenticated before moving to enforcing policies.
Can I have different DMARC policies for subdomains?
Yes. Use the sp= tag to set a subdomain policy different from your root domain. For example: v=DMARC1; p=reject; sp=quarantine
How long does DMARC take to propagate?
Like other DNS records, DMARC can take up to 48 hours to propagate, though most changes appear within a few hours.
I already have a DMARC record. Should I replace it with SendX's?
No. Keep your existing DMARC record. SendX will work with whatever policy you have in place. Only add the SendX DMARC record if you don't have one at all.