means the receiving system could not reliably evaluate your DMARC record. In most cases, the message is not failing because the sender forgot SPF or DKIM. It is failing because the DMARC policy record itself is missing, malformed, duplicated, or otherwise not usable by the receiver.

If you searched for , you are usually in one of two situations:

  • a receiver rejected live mail and the bounce included this exact phrase
  • you changed DNS recently and want to know whether the new DMARC record is still broken

Quick answer

This error usually points to one of these problems:

  • the DMARC TXT record is published at the wrong host
  • there is more than one DMARC record
  • the record syntax is invalid
  • a reporting address or tag value is malformed
  • DNS propagation, flattening, or provider formatting broke the TXT value

The fastest recovery path is:

  1. query
  2. confirm there is exactly one DMARC TXT record
  3. validate tag syntax and formatting
  4. test again with a real message and header review

What this error is actually telling you

A normal DMARC failure says the message did not align with SPF or DKIM. A permanent evaluation error is different. It says the receiver could not even trust the policy record enough to evaluate the message cleanly.

That is why the fix starts in DNS and record structure, not in template copy or volume pacing.

In practice, the receiver is often saying:

  • "I found something at , but I could not parse it"
  • "I found multiple records and cannot determine which one is valid"
  • "The required DMARC structure is not present"

The most common causes

1. The DMARC record is published at the wrong host

DMARC must live at:

It should not live only on the root domain and it should not be mixed into SPF or other TXT entries. This is the single most common GoDaddy, Cloudflare, and DNS-provider mistake after teams copy examples too quickly.

2. There is more than one DMARC record

DMARC expects one policy record at the host.

If multiple TXT records exist there, some receivers treat the policy as invalid. This happens when:

  • an old record was left in place during a policy change
  • a provider auto-generated a second record
  • different teams added competing reporting tags

3. The syntax is malformed

A valid DMARC record begins with:

Common syntax mistakes include:

  • wrong version string
  • missing semicolons
  • typos in tags such as , , or
  • invalid spacing or truncated values
  • smart quotes or pasted formatting from rich-text tools

4. The reporting addresses are wrong

The or values can break a record when they are malformed or published in a way the receiver cannot process.

Examples:

  • invalid format
  • stray commas or spaces in the wrong place
  • addresses that were partially pasted and truncated

5. Your DNS provider wrapped or split the TXT value incorrectly

Long TXT records can be entered differently across providers. If the UI breaks the string incorrectly or inserts hidden formatting, receivers can fail to parse the policy.

This is why it is not enough to trust the DNS form view. Always query the public result directly.

How to validate the record fast

Use this sequence.

Step 1: query the live host

Check the exact public TXT record on:

Use:

Step 2: confirm there is one record

If you see multiple DMARC records, delete the extras and keep one canonical policy.

Step 3: confirm the required minimum structure

At minimum, verify:

  • a valid tag such as , , or

Step 4: review optional tags carefully

Check:

Optional tags are valuable, but they are also where formatting errors show up most often.

A known-good example

Here is a clean starter policy:

And a stricter version:

Do not copy these blindly. The point is to compare your published record against a valid shape, then confirm your chosen tags are intentional.

How this differs from DMARC fail

These errors are related, but not identical.

StateWhat it meansWhere to investigate first
DMARC failthe message did not alignsender identity, SPF, DKIM, headers
permanent error evaluating DMARC policythe policy record itself could not be evaluatedDNS host, record count, syntax, TXT formatting

If the record validates but mail still fails, continue with DMARC fail.

Recovery workflow for production teams

  1. pull the exact bounce or rejection text
  2. validate the live host
  3. remove duplicate DMARC TXT records
  4. simplify the record if necessary to a valid minimal policy
  5. wait for propagation
  6. re-test with a live send and inspect headers

If the domain is business-critical, start with while the syntax issue is being cleaned up. Once evaluation is stable, move back toward the intended enforcement level.

Provider-specific mistakes that trigger this error

GoDaddy

Teams often publish DMARC at the wrong host or accidentally keep multiple TXT records while changing DNS in the GoDaddy UI.

Use DMARC GoDaddy if the domain is managed there.

Mixed-provider setups

Some teams host DNS in one system and send mail from Google Workspace, Microsoft 365, or an ESP. The record must still validate at the DNS host, regardless of where mail is sent from.

Useful follow-up:

How MailSlurp helps

MailSlurp helps teams validate DMARC changes against real message flows instead of stopping at DNS.

Use MailSlurp to:

That matters when the domain is tied to:

  • signup confirmations
  • reset emails
  • invoice delivery
  • support workflows
  • high-volume lifecycle campaigns

FAQ

Does this error mean DMARC is working?

No. It means the receiver found a DMARC policy problem serious enough that it could not evaluate the record cleanly.

Can one bad tag break the whole DMARC record?

Yes. A malformed tag or broken TXT value can make the policy unusable to some receivers.

Should I delete the whole record and start over?

Only if the record is badly malformed. Usually the fastest fix is to reduce it to one clean, minimal record, verify it publicly, then add the optional tags back carefully.

Can this happen even if SPF and DKIM are correct?

Yes. SPF and DKIM can be healthy while the DMARC policy record itself is invalid.