How to fix “no DMARC reports arriving” from external rua verification

You published a DMARC record with a rua= address weeks ago, but no aggregate reports ever arrive — the monitoring you set up is silent.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

If your rua= (or ruf=) points to a mailbox on a different domain than the one being reported on, receivers won't send reports until the destination domain authorizes it — otherwise anyone could aim your reports at a victim. RFC 7489 §7.1 requires a TXT record named <your-domain>._report._dmarc.<destination-domain> containing v=DMARC1, published on the destination domain; without it, compliant receivers refuse to send. (Same-domain rua needs no such record.) A missing authorization record is the most common reason a correct-looking DMARC setup produces zero reports. Source: RFC 7489 §7.1 · verified 2026-07-15

How to fix it

Step 1. Check whether your rua domain differs from your sending domain — if so, you need the authorization record.
Step 2. Publish <your-domain>._report._dmarc.<destination-domain> as a TXT record set to v=DMARC1 on the destination domain.
Step 3. Verify it resolves globally, then wait up to 24–48h for the next reporting cycle.
Step 4. Confirm the rua mailbox actually accepts the (often large, zipped) report attachments.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →