Punicode domain — DMARC Management Bug

Having punicode domain, try to enable Email service and add DMARC policy. Even if _dmarc record is added in DNS section, DMARC Management section shows N/A status & emails Delivery Failed.

Steps to reproduce:

  1. Add punicode domain to Account
  2. Enable Email Routing
  3. Add Custom addresses
  4. Go to: DMARC Management
  5. See alert: There’s no default RUA found in your DMARC record. You may not receive reports with this configuration
  6. Hit the link: Fix record
  7. See default configuration & accept it clicking “Add” button
  8. Still see alert “There’s no default RUA found in your DMARC record” in DMARC Management section
  9. Send email to your address
  10. Catch Delivery Failed with message: Unknown error: permanent error (550): 5.7.1 [ 12] Our system has detected that this message is5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,5.7.1 this message has been blocked.

Proof of Concept: brizing .com/hlam/dmarc-bug.mov

How to send a bug to the developers?

Hi @ser.artuh can you confirm that the record is visible via a third-party DNS lookup tool? If it is, can you submit the bug here,

Yes, visible at nslookup io

I already sent report on HackerOne, they didn’t accept it because the bug doesn’t affect security

1 Like

How to send a bug to the developers?

1 Like

The link in the image has more details, but if you can share the steps to reproduce on an account ticket and share that ticket number here we’ll flag it for our colleagues. Go here to file an account ticket, https://dash.cloudflare.com/?to=/:account/support


Finally found how to create ticket 2928813.
Since I’m using a free tier, the ticket was automatically closed :slightly_frowning_face:


The question is relevant

@ser.artuh - I just hit the very same issue just now.

What cloudflare says:

What the record looks like:

The “fix” for this is to remove the quotes that wrap the DMARC record. I did this and the error went away immediately. Here’s what my record looks like now:

Obviously a bug in cloudflare itself, because the record that it complains about being incorrect is added by the wizard itself.

Just remove the " and yo’ure good.

I don’t have and never had quotes.
The problem is urgent.
The problem occurs only with domains with punycode.

I was able to repeat your case. If I delete the record and have it generated by the system, it is surrounded by quotes.
If this bugs anyone, please note this.
However, the bug from this topic has other problems — with or without quotes, the _dmarc record in punycode domain is not visible by the “DMARC Management” section.

I keep trying to reopen ticket 2928813, they keep generating some absurd autoresponder.
My God, finally accept the bug report :person_facepalming:

I don’t think it’s just a Punicode issue. I am having the same issue with the with my domains:

 % dig @ TXT _dmarc.dudas.win

; <<>> DiG 9.10.6 <<>> @ TXT _dmarc.dudas.win
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;_dmarc.dudas.win.		IN	TXT

_dmarc.dudas.win.	300	IN	TXT	"v=DMARC1;  p=none; rua=mailto:[email protected]"

;; Query time: 56 msec
;; WHEN: Thu Sep 21 12:41:57 BST 2023
;; MSG SIZE  rcvd: 149

I get the same error as you and also on other domains. Not sure if the error is actually stopping functionality though.

With this setup i have error:

Message not delivered

There was a problem delivering your message to **********. See the technical details below, or try resending in a few minutes.

Such an error… This error occurs only with domains that have the banner “There’s no default RUA found in your DMARC record. You may not receive reports with this configuration. Fix record.” in the “DMARC Management” section.
In my case, only punicod domains, because in the rest of the domains I press the button “Fix record” and everything is configured.

I also see the Activity log. Delivery Failed because no dmarc rule is applied to the email being checked.

The ticket shows as open, I added myself to it in order to track and adjusted so that it would get routed to the correct team. I’ll keep an eye on it.


Hi @ser.artuh,


Ticket is being worked on with Engineering.
Real time update on Engineering Team:

On a more serious note, Support (I have it assigned to me atm) will update you when there is a resolution.

Thank you.