Common DMARC Mistakes – DMARC Cloud

Setting up DMARC is straightforward — but it’s surprisingly easy to trip up along the way. Here are the ten most common mistakes we see businesses make, and how to avoid each one.

❌ Mistake #1: Turning on full blocking before you know who’s sending email

This is the biggest one. If you skip straight to “block everything that fails” (p=reject) without first checking which services send email on your behalf, you’ll accidentally block real emails — from your marketing tools, your CRM, your invoicing system, and other services you’ve set up over the years.

✅ Fix: Always start in monitoring mode (p=none). Watch the reports for 2–4 weeks to see who’s sending as your domain, fix anything that’s failing, and then gradually move to blocking. See our policy guide.

❌ Mistake #2: Not setting up reports

Publishing a DMARC setting without a reporting address (the rua= part) is like installing a security camera but never looking at the footage. You won’t know who’s sending email as your domain, whether your legitimate emails are passing checks, or if someone is impersonating you.

✅ Fix: Always include a report address, like rua=mailto:address@example.com. Use our DMARC Record Generator to get a free reporting address.

❌ Mistake #3: Too many entries in your authorised sender list (SPF)

Your authorised sender list (SPF record) has a hard limit: it can only look up 10 services. Every include: you add (Mailchimp, Google, Microsoft, etc.) counts toward that limit. Go over 10 and the entire list breaks — all your email fails the SPF check, and DMARC fails too (unless your digital seal saves you).

✅ Fix: Check your SPF record with our Domain Checker. Remove services you no longer use, use direct IP addresses where possible, or spread senders across subdomains.

❌ Mistake #4: Forgetting to set up digital seals (DKIM)

Many businesses set up the authorised sender list (SPF) and DMARC, but skip the digital seal (DKIM). This is risky because your sender list breaks whenever an email gets forwarded — the digital seal is your backup. Without it, any forwarded email from your domain will fail DMARC.

✅ Fix: Turn on DKIM for every service that sends email as your domain. See our DKIM setup guide.

❌ Mistake #5: Leaving your subdomains unprotected

You might have your main domain locked down — but what about subdomains like billing.yourdomain.com or support.yourdomain.com? If you don’t explicitly protect them, attackers can send fake emails from anything.yourdomain.com and your DMARC settings won’t stop them.

✅ Fix: Add sp=reject to your DMARC record to automatically protect all subdomains. Or set up individual DMARC records for specific subdomains that send email.

❌ Mistake #6: Having more than one authorised sender list (SPF record)

Your domain can only have one SPF record. If you accidentally end up with two (for example, your web host added one and you created another), the system breaks and all SPF checks fail.

✅ Fix: Combine all your authorised senders into a single SPF record. Delete any duplicates.

❌ Mistake #7: Accidentally authorising everyone

Ending your SPF record with +all means “allow anyone in the world to send email as my domain” — which completely defeats the purpose. This sometimes happens when people copy a bad example or mistype the setting.

✅ Fix: Your SPF record should end with -all (“reject everyone else”) or ~all (“soft-fail everyone else”) during setup. Never +all.

❌ Mistake #8: Setting it up and never looking at it again

Your email setup changes over time. Someone signs up for a new marketing tool, someone else retires an old CRM, your email provider changes their servers. The DMARC settings that worked six months ago might not cover a tool your team added last week.

✅ Fix: Keep checking your DMARC reports — even after you’ve reached full protection. Review them at least monthly to catch new senders or unexpected failures.

❌ Mistake #9: Putting the DMARC record in the wrong place

Your DMARC record needs to live at a very specific spot in your domain’s settings (DNS): _dmarc.yourdomain.com. A common problem is that some DNS providers automatically add your domain name to whatever you type — so if you enter _dmarc.example.com as the hostname, it actually creates _dmarc.example.com.example.com, and nothing works.

✅ Fix: In most DNS providers, just enter _dmarc as the hostname — they’ll add your domain automatically. Use our Domain Checker to verify it’s in the right spot.

❌ Mistake #10: Not using DMARC at all

This is the most dangerous mistake of all. Without DMARC, anyone can send emails pretending to be your business. Your customers, suppliers, and staff are all potential targets for fake invoices, phishing attacks, and scams that appear to come from you. And if you send bulk email, Google and Yahoo now require DMARC.

✅ Fix: Generate a DMARC record right now. Even starting in monitoring mode (p=none) gives you visibility into who’s using your domain to send email.

Check your setup for mistakes

Our Domain Checker reviews your DMARC and SPF settings and flags common issues automatically.

Check Your Domain →