DMARC change does not propagate after change

OOPS! In writing this post I found my error!! I’m leaving the post in case someone else can benefit from my mistake and correction.

If you read below, you’ll see I had both the DKIM and DMARC records with NAME: default._domainkey. The DMARC record should be NAME: _dmarc.

Once I made the correction the DMARC propagated instantly.

________________________________-

The past months I’ve had problems with my emails going into spam boxes and causing quite a lot of problems.

I added a DMARC and CNAME record to CloudFlare weeks ago and tested. The record propagated fairly quickly. I checked with MXToolbox.com, dmarcian.com, and other tools. Also checked the email status by sending an email to gmail and checking status and headers.

All looked OK. Except all tests show the same warning like this one from Dmarcian.

[domain name replaced with x’s in the following]

Your domain has a valid DMARC record but the DMARC policy does not prevent abuse of your domain by phishers and spammers.

Details

v=DMARC1; p=none; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected];

After a week I changed the DMARC record on CloudFlare to p=reject from p=none.

All the tests still show the old record with p=none after more than 3 weeks!

The current records added on CloudFlare:

_dmarc.xxxxxx.com is an alias of xxxxxx.com.hosted.dmarc-report.com.
Type: CNAME
Name:_dmarc
Target: xxxxxx.com.hosted.dmarc-report.com
TTL: Auto
Proxy status: DNS Only

default._domainkey.xxxxxx.com has a record with content v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; ri=3600; fo=1.
Type: TXT
Name: default._domainkey :rage: Here was my error, should be _dmarc
Content: v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; ri=3600; fo=1
TTL: Auto
DNS Only

What have I done wrong? Is there something I should do to get the updated DMARC into play?

It looks like you are mixing up DKIM and DMARC.

DMARC policies should be at _dmarc.example.com. Records under _domainkey should contain DKIM keys, (or CNAME to a service provider who manages the DKIM keys).

In this case, you are pointing your DMARC to a service provider, so you need to change the policy with whoever manages xxxxxx.com.hosted.dmarc-report.com

Thanks @michael

I was in the midst of editing my post as I found the problem myself once I prepared the post! I swear, I’d looked at it so much it wasn’t until I was checking the post that I saw my mistake. The original DMARC was OK, but when I updated I had changed the NAME to the DKIM record name. Once I fixed the DMARC with the proper name, problem was solved.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.