Home / server / Questions / 1161286
Accepted
neubert
Asked: 2024-06-20 22:00:01 +0800 CST

how to add multiple DMARC entries?

  • 772

I use several different services to send out emails from my domain. I already have a CNAME record for _dmarc.mydomain.com that's set to mydomain.com.dmarc.emldlv.net for one service, however, another service is now telling me that I need to add a TXT record for _dmarc.mydomain.com* with a value of v=DMARC1; p=none.

I tried to do this in Route 53 and got this error:

Bad request.

(InvalidChangeBatch 400: RRSet of type TXT with DNS name _dmarc.mydomain.com. is not permitted because a conflicting RRSet of type CNAME with the same DNS name already exists in zone mydomain.com.)

So idk what to do now. Can I remove the CNAME record I already have and replace it with a TXT record that contains both entries separated by a new line? eg.

mydomain.com.dmarc.emldlv.ne
v=DMARC1; p=none
domain-name-system

2 Answers

  1. You can't have more than one policy for a domain. That's logical, isn't it?

    Right now, with CNAME, you essentially delegate management of your policy to some other service. This is not bad, if you trust them and if they have good policies. You can replace your CNAME record with the TXT record that copies the contents of the record CNAME is pointing to, it will work like this, and by that you'll start managing your policy yourself.

    The particular problem you have, that you can't add other record is different; that's just a special property of DNS CNAME that you can't have any records alongside it.

    v=DMARC1; p=none is certainly not a wise policy. It means "I don't care if somebody sends spam which appears as coming from my domain". It's the default as not having any policy at all. I'd be very annoyed of the service that asks for such a ridiculous thing. You certainly want p=quarantine of p=reject there. Nobody should dictate you how you appear in the internet, and especially to force you to appear worse than you can.

    • 2
  2. Best Answer

    It's not possible to have multiple DMARC records or policies for a single domain. You have to decide on a single record/policy that integrates the requirements and recommendations from all your email sending sources. In your case, this is relatively straightforward:

    Since the first (existing) record is a superset of the second one, you can just leave it as is.

    If the records had different p (policy) values, you would need to make an educated decision on which one best meets your needs (you can always start with p=none until you are confident it's appropriate to further restrict). Also, if there are differing ruf and rua values, you could combine them by separating the email addresses with commas:

    v=DMARC1; p=none; ruf=mailto:[email protected],mailto:[email protected],[email protected]; rua=mailto:[email protected],[email protected]
    • 2