I have 2 dmarc records and I should only have one. Which one?

my emails aren’t being sent in gohighlevel and nexcess believes it’s because I have 2 dmarc records in cloudflare and there should only be one but they were reluctant to tell me which one to remove. Here are my 2 dmarc records.
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;

Is this the problem and if so which should I remove or what should I do to fix it?

Those two parts are under the “Name” column of the DNS record(s)?

If so, then yes, you have two DMARC records, but they are effective for two different (sub-)domains.

The first one would be for the whole domain, the second one would only be for the sub-domain email (and anything below).

If your set up with gohighlevel and/or nexcess as you mention, isn’t configured well enough, then the Note from the above quote applies.

That shouldn’t prevent the messages from being sent though, but only from being received (at the destination).

In order to protect your domain properly from people (or organisations) spoofing messages to appear to be from your domain name, you NEED a REJECT policy.

Should you let go of any of the mentioned records, then I would let go of the second (_dmarc.email).

But that alone may not be the resolution to the issue you’re seeing, which would require much more information to dig in to.

1 Like

I deleted that dmarc but it didn’t fix the problem. I put it back. What other things can I try? Here’s the error message:
5.7.26 Unauthenticated email from ettamcushman.com is not accepted due to 5.7.26 domain’s DMARC policy. Please contact the administrator of 5.7.26 ettamcushman.com domain if this was a legitimate mail. To learn 5.7.26 about the DMARC initiative, go to 5.7.26 Control unauthenticated mail from your domain - Google Workspace Admin Help 10-20020a0562140d6a00b006a09243a2d6si5733649qvs.478 - gsmtp

Does this help you figure out what’s wrong?

I put it back wrong. It won’t let me put in the code the way it’s written, it wants a different code in the 2nd box so I just have the first dns record.

This one indicate, as mentioned in the Note in the above quote, that proper DKIM signing for the given domain name hasn’t been enabled on the provider the message was sent from.

Or, … alternatively, … that the DKIM signing isn’t done properly.

  1. Is the mentioned domain name in that error message yours?

  2. Do you have any TXT, NS or CNAME record(s) with a name containing “_domainkey”?
    If so, what are they?

  3. Did gohighlevel and/or nexcess give you any record(s) with a name containing “_domainkey” to add to your DNS?

  4. If the specific message wasn’t sent through gohighlevel or nexcess, did the provider you send it through give you any record(s) with a name containing “_domainkey” to add to your DNS?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.