SEOLZ

Missing dmarc

Quick win

Add a DMARC DNS TXT record at _dmarc.yourdomain.com to protect your domain from email spoofing and phishing.

What it is

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a free email authentication standard you publish as a DNS record. It tells the world's email providers — Gmail, Outlook, Yahoo, and others — what to do when someone sends an email that pretends to be from your domain but fails authentication checks. Without a DMARC record, anyone can forge your store's "From" address and send convincing phishing or spam emails that appear to come from you. The record lives at a specific DNS address (_dmarc.yourdomain.com) and takes effect within 24–48 hours of being added.

Why it matters

Without DMARC, criminals can send emails that look exactly like they came from your store — order confirmations, password resets, or fake promotions — tricking your customers into handing over payment details or passwords. This directly damages customer trust, can result in your domain being blacklisted by mail providers (destroying your legitimate email deliverability), and exposes you to legal and reputational liability under consumer-protection and data-privacy laws. OWASP classifies this as a Security Misconfiguration (A05:2021) — one of the most common and impactful categories of web security failures. Fixing it is free and takes under 30 minutes yet closes a major attack vector immediately.

How to fix it

  1. Confirm your current state: search your DNS zone for an existing TXT record at _dmarc.yourdomain.com using a free lookup tool (e.g. MXToolbox DMARC lookup) to make sure no record already exists.
  2. Set up a DMARC reporting mailbox: create or designate an email address (e.g. dmarc@yourdomain.com) that will receive aggregate reports from mail providers — this lets you monitor who is sending email on your behalf.
  3. Start with a monitoring-only policy: add a DNS TXT record at the hostname _dmarc.yourdomain.com with the value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com — this collects reports without blocking any mail, so you can see the landscape before enforcing.
  4. Review the reports for 2–4 weeks: open the XML reports (or use a free DMARC reporting service like Postmark's DMARC Digests or Google Postmaster Tools) to identify all legitimate mail streams sending on your behalf (e-commerce platform, ESP, helpdesk, etc.).
  5. Ensure all legitimate senders pass SPF and/or DKIM: work through each sending service identified in the reports and configure SPF/DKIM for each one so they authenticate correctly before you tighten the policy.
  6. Escalate to enforcement: once legitimate mail is passing cleanly, update the policy value from p=none to p=quarantine (sends failures to spam) and eventually p=reject (blocks failures outright), e.g.: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
; DNS TXT record — hostname: _dmarc.yourdomain.com
; Phase 1 – monitoring only (safe starting point)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

; Phase 2 – enforcement (after confirming all legitimate mail passes)
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

; Phase 3 – strictest (recommended long-term goal)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing dmarc on Shopify
  1. DMARC is a DNS record — it is NOT managed inside the Shopify admin itself. You manage it at whichever domain registrar or DNS host controls your domain (e.g. GoDaddy, Namecheap, Cloudflare, Google Domains).
  2. In your Shopify admin, go to Settings → Domains to see which domain you are using and confirm where it is managed (Shopify-managed vs. third-party).
  3. If Shopify manages your DNS: go to Settings → Domains → click your domain → click 'DNS Settings'. Scroll to the 'TXT Records' section and click 'Add record'. Set Host/Name to '_dmarc' and Value to your DMARC policy string (e.g. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com).
  4. If DNS is managed externally (e.g. Cloudflare, GoDaddy): log into that provider's DNS dashboard, add a new TXT record, set the Name/Host to '_dmarc' (or '_dmarc.yourdomain.com' depending on the interface), and paste the DMARC value.
  5. Also ensure Shopify's outbound email is covered: in Settings → Notifications → Sender email, verify your sending domain and follow Shopify's guide to authenticate it with SPF and DKIM so those emails pass DMARC alignment.
Full Shopify guide →Official Shopify docs ↗
How to fix missing dmarc on Shopify Plus
  1. Same DNS process as Shopify above — DMARC is a DNS-level record independent of Shopify Plus features.
  2. Shopify Plus merchants often use custom transactional email platforms (Klaviyo, Bronto, etc.): before enforcing DMARC, check each sending platform's documentation to ensure SPF and DKIM are configured for your domain in that platform.
  3. If you use Shopify's built-in email (Shopify Email): authenticate your sender domain under Settings → Email Marketing → Sender Domain and follow the SPF/DKIM setup steps so Shopify Email passes DMARC alignment before you set p=reject.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix missing dmarc on WooCommerce
  1. WooCommerce runs on WordPress hosted on your own server — DNS is managed at your domain registrar or hosting provider (e.g. GoDaddy, Namecheap, SiteGround, WP Engine, Cloudflare).
  2. Log into your domain registrar or DNS provider's control panel. Navigate to DNS Management / DNS Zone Editor.
  3. Add a new TXT record: Name/Host = '_dmarc', TTL = 3600 (or default), Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  4. WooCommerce stores typically send email via WordPress (wp_mail using PHPMailer) or a plugin like WP Mail SMTP. In your WordPress admin, go to the WP Mail SMTP plugin → Settings and ensure you are sending via an authenticated SMTP provider (e.g. SendGrid, Mailgun, Amazon SES) with SPF and DKIM set up for your domain — this is required for DMARC alignment.
  5. Install a free plugin like 'Check Email' (WP Mail SMTP) to send a test email and verify headers show DKIM and SPF passing before escalating DMARC to p=quarantine or p=reject.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix missing dmarc on BigCommerce
  1. BigCommerce does not manage DNS directly. Go to your BigCommerce control panel → Store Setup → Domain Names to confirm whether your domain DNS is managed by BigCommerce (via Fastly/Cloudflare) or your own registrar.
  2. If DNS is managed externally: log into your registrar's DNS dashboard, add a TXT record with Name = '_dmarc' and Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  3. BigCommerce sends transactional emails on your behalf. Navigate to Store Setup → Email Templates to review your sender address, then follow BigCommerce's Help Center guide for 'Email DNS Authentication' to add the SPF and DKIM records BigCommerce provides — these must pass before you enforce DMARC.
  4. If you use a third-party ESP (Klaviyo, Mailchimp, etc.) connected via BigCommerce apps, configure SPF/DKIM in that ESP for your domain as well.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix missing dmarc on Wix
  1. In your Wix dashboard, click on your site name at the top, then go to Settings → Domains.
  2. If your domain is managed by Wix (purchased through Wix): click 'Manage' next to your domain → Advanced → DNS Records. Click '+ Add Record', choose type TXT, set Host to '_dmarc', and Value to v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Save.
  3. If your domain is managed externally: log in to your external DNS provider and add the TXT record there.
  4. Wix sends site emails (form submissions, notifications) through Wix infrastructure. To ensure they pass DMARC, go to Settings → Email Marketing or check Wix's help docs on 'Email Authentication' to enable the required SPF/DKIM entries Wix provides for your domain.
  5. Wait 24–48 hours for DNS propagation, then verify using MXToolbox's DMARC lookup.
Full Wix guide →Official Wix docs ↗
How to fix missing dmarc on Wix Studio
  1. In Wix Studio, open the site project and go to the Site Dashboard → Settings → Domains.
  2. Follow the same DNS steps as Wix above — either manage the TXT record in Wix's DNS panel (if the domain is Wix-managed) or log in to your external DNS provider.
  3. Add a TXT record: Host = '_dmarc', Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  4. Ensure any transactional email (Wix automations, contact forms) is authenticated with SPF/DKIM via Wix's email settings before escalating to p=quarantine.
Full Wix Studio guide →Official Wix Studio docs ↗
How to fix missing dmarc on Squarespace
  1. In your Squarespace dashboard, go to Settings → Domains (or Website → Domains on older panel versions).
  2. If your domain is managed by Squarespace: click on the domain → DNS Settings → scroll to 'Custom Records' → click 'Add Record'. Set Type = TXT, Host = '_dmarc', Data = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Save.
  3. If your domain DNS is managed externally (e.g. GoDaddy): log in to that provider and add the TXT record there.
  4. Squarespace sends transactional and marketing emails via its own infrastructure. Review Squarespace's official guide on 'Email Authentication' (SPF/DKIM) under Settings → Email to ensure Squarespace emails are authenticated and will pass DMARC alignment.
  5. If you use Squarespace Email Campaigns or a connected ESP, authenticate your sender domain in that platform too before setting p=reject.
Full Squarespace guide →Official Squarespace docs ↗
How to fix missing dmarc on Webflow
  1. In your Webflow dashboard, open Project Settings → Publishing → Custom Domain.
  2. If Webflow manages your DNS (domain purchased via Webflow): click 'Edit DNS' next to your domain. Under DNS Records, click 'Add record', choose TXT, set Name = '_dmarc', Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Save.
  3. If your domain is with an external registrar: log in there and add the TXT record (Name = '_dmarc', Type = TXT, Value = your DMARC string).
  4. Webflow does not send transactional ecommerce emails natively beyond basic order notifications — most Webflow Commerce stores use an ESP. Ensure SPF and DKIM are configured for your domain in your ESP before escalating DMARC policy to p=quarantine or p=reject.
  5. Verify the record has propagated using MXToolbox DMARC check (search 'MXToolbox DMARC lookup') after 24–48 hours.
Full Webflow guide →Official Webflow docs ↗
How to fix missing dmarc on Adobe Commerce (Magento)
  1. Adobe Commerce / Magento is self-hosted — DNS is managed at your domain registrar or DNS provider (e.g. Cloudflare, Route 53, GoDaddy), not inside the Magento admin.
  2. Log into your DNS provider's control panel and add a TXT record: Name/Host = '_dmarc', TTL = 3600, Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  3. In the Magento admin, go to Stores → Configuration → Advanced → System → Mail Sending Settings. Ensure you are using an authenticated SMTP relay (e.g. SendGrid, Mailgun, Amazon SES) rather than the server's default sendmail — this is critical for SPF/DKIM alignment.
  4. Install an SMTP extension (e.g. Magento SMTP by Mageplaza, or configure via app/etc/config.php) to route all transactional mail through your authenticated sending provider.
  5. Confirm SPF and DKIM records for your SMTP provider are already in DNS for your domain, then monitor DMARC reports for 2–4 weeks before escalating to p=quarantine.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix missing dmarc on Magento Open Source
  1. Same DNS and mail-authentication process as Adobe Commerce above — DMARC is purely a DNS TXT record managed at your registrar or DNS host.
  2. Add TXT record at _dmarc.yourdomain.com with value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  3. Configure SMTP authentication in Magento Open Source via Stores → Configuration → Advanced → System → Mail Sending Settings, pointing to an SPF/DKIM-enabled relay.
  4. Use a community SMTP extension from the Magento Marketplace to enable authenticated outbound mail if the default server configuration does not support it.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix missing dmarc on PrestaShop
  1. PrestaShop is self-hosted — add the DMARC TXT record at your domain registrar or DNS provider: Name = '_dmarc', Type = TXT, Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  2. In PrestaShop admin, go to Advanced Parameters → E-mail and set the email method to SMTP. Enter the credentials for an authenticated sending provider (SendGrid, Mailgun, etc.) that has SPF and DKIM configured for your domain.
  3. Save and send a test email to verify DKIM and SPF pass in the email headers before tightening DMARC policy.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix missing dmarc on BigCommerce for WP
  1. DNS is managed at your registrar or hosting DNS panel — add a TXT record: Host = '_dmarc', Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  2. The BigCommerce for WordPress plugin routes checkout and order emails through BigCommerce's infrastructure. Follow BigCommerce's email authentication guide (SPF/DKIM) in your BC control panel under Store Setup → Email to authenticate your sender domain.
  3. WordPress notification emails are sent via wp_mail — install WP Mail SMTP and configure an authenticated SMTP provider to ensure those pass DMARC as well.
Full BigCommerce for WP guide →Official BigCommerce for WP docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find missing dmarc — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing dmarc?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a free email authentication standard you publish as a DNS record. It tells the world's email providers — Gmail, Outlook, Yahoo, and others — what to do when someone sends an email that pretends to be from your domain but fails authentication checks. Without a DMARC record, anyone can forge your store's "From" address and send convincing phishing or spam emails that appear to come from you. The record lives at a specific DNS address (_dmarc.yourdomain.com) and takes effect within 24–48 hours of being added.

Why does missing dmarc matter?

Without DMARC, criminals can send emails that look exactly like they came from your store — order confirmations, password resets, or fake promotions — tricking your customers into handing over payment details or passwords. This directly damages customer trust, can result in your domain being blacklisted by mail providers (destroying your legitimate email deliverability), and exposes you to legal and reputational liability under consumer-protection and data-privacy laws. OWASP classifies this as a Security Misconfiguration (A05:2021) — one of the most common and impactful categories of web security failures. Fixing it is free and takes under 30 minutes yet closes a major attack vector immediately.

How do I fix missing dmarc?

Add a DMARC DNS TXT record at _dmarc.yourdomain.com to protect your domain from email spoofing and phishing.

Authoritative references

Related Security (OWASP) issues