Suped

DMARC issues

All DMARC issue types detected by Suped, what they mean, why they matter, and how to fix them.

Suped detects the following DMARC-related issues on your domains.

Missing DMARC record

Issue code: dmarcMissing

What it means: No DMARC record was found at _dmarc.yourdomain.com.

Why it matters: Without a DMARC record, ISPs have no policy for handling unauthenticated email sent from your domain. Anyone can spoof your domain and receivers won't know to reject or quarantine those messages.

How to fix it: Add a DMARC TXT record at _dmarc.yourdomain.com. You can create one manually or use Suped's hosted DMARC to manage it from the dashboard.

Invalid DMARC record

Issue code: dmarcInvalid

What it means: Your DMARC record exists but has syntax errors that prevent it from being parsed correctly.

Why it matters: An invalid DMARC record is treated the same as no record at all. Receivers will ignore it, leaving your domain unprotected.

How to fix it: Common causes include missing semicolons between tags, invalid tag values, and typos in policy values (e.g. p=Non instead of p=none). Check your record against the DMARC specification or use Suped's DMARC record generator to create a valid one.

Multiple DMARC records

Issue code: dmarcMultiple

What it means: More than one DMARC TXT record was found at _dmarc.yourdomain.com.

Why it matters: The DMARC specification requires exactly one record. When multiple records exist, the result is undefined - some receivers may pick one at random, others may ignore both.

How to fix it: Remove the duplicate records from your DNS and keep only one valid DMARC record.

Weak DMARC policy

Issue code: dmarcWeakPolicy

What it means: Your DMARC policy is set to p=none, which tells receivers to deliver unauthenticated emails normally.

Why it matters: A p=none policy provides monitoring only - you'll receive reports, but spoofed emails are still delivered to recipients. Your domain remains vulnerable to impersonation.

How to fix it: Once you've verified that all your legitimate sending sources pass SPF and/or DKIM authentication, gradually move to a stricter policy:

  1. Start with p=quarantine to send unauthenticated emails to spam
  2. Move to p=reject to block unauthenticated emails entirely

If you're using hosted DMARC, you can adjust the policy percentage to roll out changes gradually.

Suped reporting address missing

Issue code: dmarcNoSupedReporting

What it means: Suped's reporting address isn't included in your DMARC record's rua tag.

Why it matters: Without Suped's address in the rua tag, Suped can't receive DMARC aggregate reports for your domain. This means no visibility into who's sending email as your domain and whether authentication is passing.

How to fix it: Add Suped's reporting address to your rua tag. The exact address is shown in your Suped dashboard. If you use hosted DMARC, this is handled automatically.

Bad failure options

Issue code: dmarcBadFo

What it means: The fo (failure options) tag in your DMARC record has an incorrect or suboptimal value.

Why it matters: The fo tag controls when forensic/failure reports are generated. An incorrect value can mean you miss important failure data.

How to fix it: Set fo=1 in your DMARC record. This tells receivers to generate a report when any authentication mechanism (SPF or DKIM) fails, which gives you the most visibility into authentication problems.

Product
DMARC monitoring
Hosted DMARC
Hosted SPF
Hosted MTA-STS
SPF flattening
Blocklist monitoring
MSP
Pricing
Tools
DMARC record generator
Blocklist checker
Domain health checker
DMARC checker
Email tester
Resources
Docs
Customers
Blog
Guides
Knowledge base
Company
About
Trust and security

Suped

Privacy policy
Terms of service
© 2026 Suped Pty Ltd
LinkedInX