Skip to main content
All website issues
Technical Health

No protection against email impersonation (no DMARC)

What this means for your business

Your domain has no DMARC record — the rule that tells Gmail and Outlook what to do with email that fails authentication. Without it, scammers can send convincing phishing email that appears to come from your domain to your own customers, and your legitimate email is more likely to land in spam.

How to fix it
Medium
30–60 minutes

  1. 1Make sure SPF is in place first — DMARC builds on top of SPF (and ideally DKIM), so set those up before tightening DMARC.
  2. 2In your domain's DNS settings, add a new "TXT" record with the name/host "_dmarc" (so it lives at _dmarc.yourdomain.com).
  3. 3Set the value to start in monitor mode: "v=DMARC1; p=none; rua=mailto:you@yourdomain.com" — replace the address with a mailbox you check.
  4. 4Leave it on "p=none" for a couple of weeks and review the aggregate reports that arrive at the rua address to confirm your real mail passes.
  5. 5Once legitimate mail is passing, tighten the policy to "p=quarantine" (sends spoofed mail to spam) and later "p=reject" (blocks it outright).
  6. 6Re-run the scan after each change to confirm the record is detected and the policy is recognized.

On WordPress

DMARC is a DNS record, not a WordPress setting — add it at your registrar or host. If reading raw DMARC reports is overwhelming, a free tier of a tool like Postmark's DMARC Digests or dmarcian turns them into a plain-English weekly summary.

On Shopify

Add the _dmarc TXT record at whatever service manages your domain's DNS. If your domain is registered through Shopify, add it in Settings → Domains → your domain → DNS settings.

Pro tip: Always start at "p=none" and watch the reports before enforcing. Jumping straight to "p=reject" before confirming your real senders pass can cause your own legitimate email — invoices, password resets, newsletters — to silently bounce.

Does your site have this problem?

SiteSprout scans your site, tells you which issues you actually have in plain English, and keeps watch so nothing breaks silently.

Scan your site free