DMARC Record Check

This is the DNS-category DMARC check and it is informational only: it surfaces whether a v=DMARC1 TXT record exists at _dmarc.yourdomain.tld but does not affect your score (weight 0 in DNS, despite the methodology table listing 15). The scored version of DMARC lives in Email Security as DMARC Policy Enforcement, which evaluates the policy strength (p=reject, p=quarantine, p=none) and gates on whether your domain receives mail. Treat this DNS row as an audit signal; for remediation, follow DMARC Policy Enforcement.

How the check works

Queries TXT records at _dmarc.yourdomain.tld and looks for any record starting with v=DMARC1. If found, it parses out the p= policy. Verdicts:

• Pass (low): v=DMARC1 record found with p=reject or p=quarantine.
• Warn (medium): v=DMARC1 record found with p=none.
• Fail (high): no v=DMARC1 record at _dmarc.yourdomain.tld.

All three verdicts are informational. The DNS category does not deduct points based on this row; the same finding is scored under DMARC Policy Enforcement in Email Security where the policy strength matters and the check is gated on having a non-null MX.

What to do

Use this row to audit, not to score. Two cases:

• If your domain sends mail and you see Fail or Warn here: jump to the DMARC Policy Enforcement fix in Email Security for the actual scored remediation. The phased rollout (publish at p=none with rua= reporting, audit, ramp to p=quarantine, then p=reject) lives in that guide. This DNS row will pass naturally once Email Security passes.
• If your domain does not send mail and you see Fail here: the DNS row will keep showing Fail, but it does not affect score. Email Security marks DMARC as not-applicable when there is no non-null MX. You can publish a strict DMARC anyway (see below) to lock down attempted spoofing of an explicitly non-mail domain.

Optional: strict DMARC for non-mail domains

If your domain genuinely does not send mail, publish a hard DMARC alongside your null MX (see MX Presence & Hygiene) and deny-all SPF (see DNS SPF Record Check). All three together explicitly declare the domain neither sends nor receives mail, and any spoofed mail "from" the domain should be rejected:

_dmarc.yourdomain.tld.   IN  TXT  "v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.tld; adkim=s; aspf=s"

Even on a non-mail domain, set rua= so you see attempted spoofing. Forwarders, mailing lists, and phishing campaigns do try to forge mail from non-mail domains; aggregate reports show you who.

Verify

• dig +short TXT _dmarc.yourdomain @1.1.1.1 should show the record (or no DMARC answer if you do not publish one).
• Re-run the RedScore lookup. The DNS row reflects the latest record; remember it does not affect score either way.

For the actionable scored DMARC checks (policy enforcement, subdomain policy, reporting, phased rollout), see DMARC Policy Enforcement, DMARC Subdomain Policy, and DMARC Reporting in Email Security.