DMARCER
Sign in

I added the records but it will not verify

If you have added the verification record but your domain still will not validate, it is almost always a small mismatch in the host name or value. This article explains what we check and walks you through fixing the most common slips.

Published 29 Jun 2026 1

Adding the DNS record and then watching your domain stay on the warning state is one of the most common things people get in touch about. In nearly every case the record is published, but it is not quite in the form DMARCER is looking for, or it has been added at the wrong host name. This article explains what verification actually checks, how to run the recheck yourself, and the handful of slips that account for almost all failures.

What "verify" actually checks

When you add a domain, DMARCER creates a unique ownership token for it. To confirm the domain is yours, we look up a single TXT record at the host "_DMARCER" in front of your domain (so for example.com the full name is _DMARCER.example.com) and check that its value matches that token exactly. The token looks like dmarcer-verification= followed by a long string of characters. We look this up live, with no caching on our side, so as soon as your DNS host has published the record a recheck will see it.

Verification will not be undone by a brief DNS hiccup, and clicking Recheck Now yourself can only ever validate a domain, never remove an existing validation. The one thing that drops a domain back to unvalidated is our background check confirming (with a second look-up) that the _DMARCER record has genuinely been removed or changed. Only the ownership record matters for this badge: your SPF, DMARC and DKIM records are checked separately and are not what holds back the green Validated badge.

The verification workflow, step by step

  • Open Domains and find the row for the domain. While it is unvalidated it shows a yellow Validate button (you will also find Validate ownership in the row's menu).
  • Click Validate to open the Verify Domain Ownership dialog. It shows the exact Name and Value to publish, each with a copy button.
  • In your DNS host, create a new TXT record. Set the Name (host) to what is shown, which is _DMARCER plus your domain, and paste the Value exactly as given.
  • Save the record at your DNS host, then come back to the dialog and click Recheck Now. Verification also runs automatically in the background, but Recheck Now gives you an immediate answer.
  • When the token is found, the domain switches to a green Validated badge and the SPF, DMARC, MTA-STS and TLS-RPT tools unlock for that domain.

What each option means

  • Recheck Now: looks up the _DMARCER record in DNS straight away and validates the domain if the token matches. Use this right after you have published the record yourself. A manual Recheck Now never removes an existing validation, so it is always safe to press.
  • Publish now: only appears when the domain is linked to a DNS provider that DMARCER can write to. It creates the ownership TXT record for you through that connection, then runs the recheck automatically straight afterwards. It does not touch any other records, so it will not affect your mail flow.
  • Automatic background validation: even if you never press a button, our background check will pick up the record and validate the domain. Recheck Now simply saves you the wait.

Why it still will not verify

Work through these in order. The first three are by far the most common.

  • Wrong host name. The record must be at _DMARCER in front of the domain, not at the root. Many DNS hosts automatically add the domain on to whatever you type, so if you enter the full _DMARCER.example.com you can end up with _DMARCER.example.com.example.com. In that case, enter only _DMARCER as the host.
  • Value does not match exactly. Paste the whole token, with nothing added or removed. Watch out for a trailing space, smart quotes pasted from a document, or extra quotation marks added by the DNS host. The value we expect starts with dmarcer-verification=.
  • Wrong record type. It must be a TXT record. A CNAME, A or other type at the same name will not be picked up.
  • Editing the wrong domain or area. If you manage your root domain and subdomains separately, make sure the TXT record sits with the exact domain shown in the dialog.
  • Published but not live everywhere yet. We do not cache, but your own DNS host can take a short while to start serving a newly saved record. If everything looks correct, wait a few minutes and click Recheck Now again.

If it still fails

  • If Recheck Now says no matching _DMARCER TXT record was found yet, the record is genuinely not visible to a public DNS lookup. Re-open the dialog, copy the Name and Value again with the copy buttons, and compare them character for character with what is published.
  • If you see a message that validating the domain would take you over the number of domains your plan allows, the hold is about your plan rather than DNS. Add a payment method to allow billing for the extra domains, or move to a larger plan, then try Recheck Now again.
  • If a domain that was previously validated drops back to unvalidated, our background check has confirmed the ownership record was removed or changed at the DNS host. Please leave the _DMARCER TXT record in place permanently, so the background re-check keeps confirming ownership.
  • If the domain is linked to a DNS provider, the quickest fix is usually to use Publish now and let DMARCER create the correct record for you.

Was this article useful?

Be the first to vote.
Got feedback for our team? Send us a comment

Related articles

Why has my change not been picked up yet?

A new or edited DNS record is not always visible to the world the moment you save it. Here is how DMARCER keeps checking your domains, how to force a fresh check with Recheck now, and what to try if a change still has not shown up.

Common DNS mistakes

Most email-security problems come down to a handful of common DNS mistakes. This guide explains the ones we see most often, what each does to your mail, and how to put it right with your DNS provider.