Don't double up on DMARC

Here's a new oops that I've observed a few times recently! In case you didn't know already, you can't have two DMARC records for your domain name. (I'm not talking about subdomains ... I'm talking about specifically having two DMARC DNS records at the same level in DNS.)

If you look up your domain's DMARC record, using dmarcian's DMARC Inspector, or the Wombatmail tool, or any of the many fine tools out there, and you look up your domain name, and you see that domain has two DMARC records in DNS, that's a fail. Not a good thing. You don't want that. You can have only one.

Here's an example of a domain with a busted double DMARC record. I didn't even create that one special for you -- that was my own oops. So I'm going to leave it in place, to share with you all. See, it happens, even to people who already know how DMARC works.

OK, now what? Which one do you keep? The long answer gets complex, but the short version is: If you're using a DMARC service, keep the one that references them. For example, if you use OnDMARC from Red Sift, and you have two DMARC records - one mentions "" and one doesn't, keep the one that mentions "" If you're not using a DMARC provider then the question becomes, what policy do you want, and where do you want reports to go. If you don't know what to do about that, then check out DMARC, the quick and dirty way -- delete all existing DMARC records, and create a new one based on my guidance there.

(It's from an old taco commercial, if you're wondering.)

Post a Comment