Can You Have Multiple DMARC Records? Common Mistakes and How to Fix Them

The answer is no. You can only have one DMARC record per domain. If your domain has two or more DMARC TXT records published at _dmarc.yourdomain.com, the result is unpredictable. Receiving mail servers may ignore all of them, pick one at random, or flag a validation error. None of those outcomes are good.

This is one of the most common DMARC mistakes, and it is easy to make. This guide explains why it happens, how to detect it, and how to fix it by merging your records into a single valid entry.

Why You Can Only Have One DMARC Record

The DMARC specification (RFC 7489) is explicit about this: a domain must publish exactly one DMARC record. When a receiving mail server queries _dmarc.yourdomain.com and finds multiple TXT records that begin with v=DMARC1, the specification says the result is undefined. In practice, most servers treat this as a configuration error and behave as if no DMARC record exists at all.

That means your domain loses all DMARC protection. Your policy is not enforced, spoofed messages are not blocked, and you may stop receiving aggregate reports. All because there are two records instead of one. This is especially common in developer environments where multiple tools and services touch DNS configuration.

This is different from other DNS record types. You can have multiple MX records, multiple A records, and even multiple TXT records on the same domain. But you cannot have multiple TXT records that are DMARC records (starting with v=DMARC1) on the same _dmarc subdomain.

Having two DMARC records is worse than having none. With no DMARC record, receiving servers simply have no policy to apply. With two records, they detect a configuration error and may distrust your domain's authentication setup entirely.

How Multiple Records Happen

Duplicate DMARC records almost always happen by accident. Here are the most common ways:

Different tools adding records independently. You sign up for a DMARC monitoring service that asks you to add a DMARC record. Later, your IT team or a security consultant adds another one. Neither knows about the other's record, and now you have two.

Copy-paste errors during DNS updates. You update your DMARC record by creating a new TXT entry but forget to delete the old one. Your DNS provider now has both the original and the updated record, and both are published.

DNS provider interface confusion. Some DNS management interfaces make it easy to accidentally create a new record instead of editing an existing one. You think you are modifying your DMARC record, but you are actually adding a second one alongside the first.

Domain migration or DNS provider changes. When moving your DNS from one provider to another, records sometimes get duplicated during the migration. The old records carry over, and new ones are added on top.

Multiple administrators. In organizations where several people manage DNS, one person may add a DMARC record without checking whether one already exists. This is especially common when an agency or external vendor is involved alongside an internal team.

How to Detect Duplicate DMARC Records

The easiest way to check is to look up your domain at dmarcrecordchecker.com. The tool will flag multiple DMARC records and show you exactly what is published.

You can also check from the command line. On macOS or Linux:

dig TXT _dmarc.yourdomain.com

On Windows:

nslookup -type=TXT _dmarc.yourdomain.com

If either command returns more than one TXT record starting with v=DMARC1, you have a problem that needs fixing.

Check all your domains

If you manage multiple domains, check each one. Duplicate records can hide on lesser-used domains for months without anyone noticing. Every domain should have exactly one DMARC record or none at all (though we strongly recommend having one).

How to Fix Duplicate DMARC Records

The fix is straightforward: merge your multiple records into one and delete the extras. Here is the process step by step.

Identify all existing DMARC records

Look up your domain and note every DMARC TXT record that is currently published. Write them down or copy them somewhere so you can compare them.

Compare the records

Look at the tags in each record. Typically, duplicate records have slightly different configurations. One might have p=none while another has p=quarantine. One might include a rua tag while the other does not. Make note of the differences.

Create a single merged record

Combine the tags from all records into one valid DMARC record. Choose the most appropriate value for each tag. If one record has p=reject and another has p=none, decide which policy you want based on where you are in your DMARC journey. Include all reporting addresses you want to keep.

Delete all existing DMARC records

Log in to your DNS provider and remove every TXT record at _dmarc.yourdomain.com that starts with v=DMARC1. Remove all of them, not just the duplicates.

Add your single merged record

Create one new TXT record at _dmarc.yourdomain.com with your merged DMARC record. Double-check that it starts with v=DMARC1 and that all tags are properly formatted.

Verify the fix

Wait a few minutes for DNS propagation, then check your domain again at dmarcrecordchecker.com. You should see exactly one valid DMARC record.

Merging Records: A Practical Example

Suppose you find these two DMARC records on your domain:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;

v=DMARC1; p=quarantine; ruf=mailto:forensics@yourdomain.com; fo=1;

The first record has a monitoring policy with aggregate reporting. The second has a quarantine policy with forensic reporting. To merge them, combine the tags and choose the policy that matches your current enforcement stage:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com; fo=1;

This single record preserves the reporting addresses from both records and uses the stronger policy. If you are not ready for quarantine, use p=none instead. The key is having one record that includes everything you need.

What About Multiple TXT Records in General?

It is worth clarifying that having multiple TXT records on the same domain is perfectly fine for different purposes. Your domain might have a TXT record for SPF (v=spf1 ...), another for domain verification (google-site-verification=...), and one for DMARC (v=DMARC1 ...). These are all different TXT records serving different functions, and they coexist without issues. For a deeper understanding of how SPF, DKIM, and DMARC work together as separate DNS records, see our comparison guide.

The problem is specifically with having multiple TXT records that all start with v=DMARC1 on the _dmarc subdomain. The DMARC specification requires exactly one.

Similarly, you can have DMARC records on different subdomains without conflict. A record at _dmarc.example.com and another at _dmarc.newsletter.example.com are separate records for separate domains. That is valid and sometimes even recommended for organizations that need different policies on different subdomains.

Preventing Duplicate Records

Once you have fixed any existing duplicates, here are some practices to prevent them from recurring:

Document your DNS records. Keep a record of what DNS entries exist for each domain, who added them, and why. This prevents duplicate additions.

Designate one person or team for DNS changes. When multiple people can modify DNS, duplicate records are almost inevitable. Establish a clear process for who makes changes.

Check before adding. Before adding any new DMARC record, always check whether one already exists. A quick lookup at dmarcrecordchecker.com takes seconds and prevents this entire problem.

Edit instead of creating. When you need to update your DMARC record, edit the existing TXT entry in your DNS provider instead of creating a new one. Most DNS interfaces have an edit function for existing records.

Set up monitoring. Use a monitoring service that alerts you when your DNS records change. This catches accidental duplicates before they cause problems.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring