Skip to main content

I got the "strict DMARC policy" alert. How to fix it?

Learn how to fix email deliverability issues caused by a strict DMARC policy by verifying your domain with custom DNS records.

Caroline Tyrko avatar
Written by Caroline Tyrko
Updated this week

Why is DMARC alignment important?

📓 DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication standard that helps prevent spam, spoofing, and phishing.

If your DMARC policy is strict, it requires precise alignment between your domain settings and the servers sending your emails.

If you’ve connected your email in Certifier and see a warning, or your emails are landing in spam, your domain might have a strict DMARC policy. This means your DNS settings are missing records that confirm we’re allowed to send emails on behalf of your domain, and that can hurt deliverability.

The good news? Fixing this only takes a few steps!


How to find and fix "strict DMARC policy" alert?

Go to the Emails → Sender Details section in Certifier. If we detect a strict DMARC policy on your domain, you’ll see a warning like this:

You can learn more after entering the Sender's Details:

No worries! To fix this issue, you'll just need to follow these steps:

  1. Find the affected email in Emails → Sender Details and enter the details.

  2. Click on the Check configuration button:

  3. You’ll see the required DNS records (TXT and MX) for the mail-certifier subdomain. Here’s an example of what the records might look like:

    MX Record

    • Host: mail-certifier.yourcompany.com

    • Type: MX

    • Priority: 10

    • Value: feedback-smtp.eu-west-1.amazonses.com

    TXT Record (SPF)

    • Host: mail-certifier.yourcompany.com

    • Type: TXT

    • Value: "v=spf1 include:amazonses.com ~all"

    Copy these values and add them to your DNS zone:

    💡 These records won’t affect your default email sending. They only apply to the mail-certifier subdomain used by Certifier.

  4. After updating the DNS records, go back to the app and click Check DNS Records:

⏳ Please note that changes can take up to 72 hours to be detected.

And that's it - if everything's correct, the warning will disappear from your account!


I added the records, but the alert still appears. What to do?

If you’ve added the records, waited 72 hours, and still see the warning:

  • Double-check your DNS entries for typos or formatting issues.

  • Then, contact our support team with a screenshot of your current DNS records so we can verify and troubleshoot the setup.


I didn't get any alert, but my emails land in spam. How to fix that?

In some cases, you may not see any alert in the app, but your certificate emails are still landing in spam or being marked as unverified by recipients’ email providers.

If that’s the case, you can manually add the required records to your DNS zone to improve deliverability:

MX Record

  • Host: mail-certifier.yourcompany.com

  • Type: MX

  • Priority: 10

  • Value: feedback-smtp.eu-west-1.amazonses.com

TXT Record (SPF)

  • Host: mail-certifier.yourcompany.com

  • Type: TXT

  • Value: "v=spf1 include:amazonses.com ~all"

After adding the records, please contact our support team to manually verify the configuration.

💡 These records won’t affect your default email sending. They only apply to the mail-certifier subdomain used by Certifier.


Still having deliverability issues?

If the messages are still not delivered correctly after setting up DNS records, consider the pattern:

  • Trouble delivering to one specific domain?
    The issue may be on the recipient's side. Ask them to whitelist your domain.

  • Trouble delivering to multiple domains?
    Reach out to us again - there may be more we can help with.


Need more help?

If you still have some questions, do not hesitate to contact us via the chat icon or email us directly: [email protected]

Did this answer your question?