How to fix DMARC issues

If NoDowntimeShield has flagged a DMARC, SPF, or DKIM finding, this guide walks you through the exact DNS records to add.

Fixing "DMARC record missing"

Add the following TXT record to your DNS:

Name / Host: _dmarc
Type: TXT
Value: v=DMARC1; p=quarantine; rua=mailto:[email protected]

Replace yourdomain.com with your actual domain. Start with p=quarantine — after two weeks of aggregate reports, tighten to p=reject.

Fixing "DMARC policy is p=none"

You have a DMARC record, but it isn't enforcing anything. Change the policy from p=none to p=quarantine:

Before:

v=DMARC1; p=none; rua=mailto:[email protected]

After:

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Fixing "SPF record missing"

Add the following TXT record on the apex domain (not _dmarc, not _spf — just the bare domain):

Name / Host: @ (or leave empty depending on your provider)
Type: TXT
Value: v=spf1 include:_spf.google.com ~all

Replace include:_spf.google.com with the include directive for your email provider:

| Provider | Include | |----------|---------| | Google Workspace | include:_spf.google.com | | Microsoft 365 | include:spf.protection.outlook.com | | SendGrid | include:sendgrid.net | | Mailchimp | include:servers.mcsv.net | | HubSpot | include:mail.hubspot.com |

Keep ~all (soft fail) until DMARC reports confirm nothing legitimate is being dropped, then harden to -all (hard fail).

Fixing "DKIM not configured"

DKIM must be set up in your email provider's admin panel, not directly in DNS.

In your email provider (Google, Microsoft, SendGrid), generate a DKIM key — this produces a selector name and a public key.
Add the resulting CNAME or TXT record(s) to DNS exactly as the provider instructs.
Wait up to 24 hours for propagation.
Rescan in NoDowntimeShield — the DKIM finding should clear.

After fixing

After adding records, wait 5–10 minutes for DNS propagation, then trigger a manual scan from your NoDowntimeShield dashboard. The finding should clear within one scan cycle.