multiple DMARC records

Having Multiple DMARC records on your domain is a complete no-no, and here’s why! We know that implementing email authentication protocols like DMARC is essential to an organization’s reputation and data security, and to do that domain owners need to publish a TXT record in their DNS. But a question that often resurfaces again and again in the community is that “ Can I have multiple DMARC records on my domain?” The answer is no. Multiple DMARC records on the same domain can invalidate your record and hence the DMARC authentication policy set for your domain fails to function.

How is a DMARC Record Processed by MTAs?

A DMARC record published in your domain’s DNS looks something like this:

TXT  mydomain.com  v=DMARC1; p=reject; rua=mailto:[email protected]

Therefore, when a domain that has DMARC configured for it sends an email, the email receiving MTA fetches all TXT records that begin with v=DMARC1. The MTA queries the DNS of the sending domain and may come across the following scenarios:

  1. It finds a single valid DMARC record in the DNS of the source domain and processes the email according to the DMARC policy specifications
  2. It finds no DMARC record for the sending domain and DMARC processing automatically ceases, the email is delivered without verifying the source
  3. It finds multiple DMARC records on the same domain and in this case DMARC processing is also discontinued and the applied policy fails to be executed

Multiple DMARC Records: How to Fix It?

When you configure DMARC for your domain and set a policy, you want MTAs to respond to your emails in a way that aligns with your intentions. This is how DMARC can protect your domain against impersonation and spoofing. In order to help the configured protocol function effectively, we recommend the following steps:

  • Make sure you have not published multiple DMARC records for your domain
  • Make sure that your DMARC record does not contain syntax errors
  • Instead of manually generating your DMARC record, use reliable tools like our free DMARC record generator to do the job for you
  • Enable DMARC reports for your domain to monitor your email flow and authentication results from time to time, so that you can track delivery issues and take action against malicious sending sources
  • Make sure you stay under the SPF 10 lookup limit to avoid permerror result

An alternative to the several steps you can take to implement DMARC correctly for your domain and avoid multiple DMARC records would be to simply sign up with our DMARC analyzer.

PowerDMARC handles most of the complexities in the background to automate your email authentication journey and help you mitigate any configuration errors that may cause issues in email deliverability.