On Fri, Nov 21, 2025 at 8:40 AM Alex Shakhov | SH Consulting via mailop < [email protected]> wrote:
> We are having an issue enforcing DMARC for a domain operating under the > .agency TLD. Our DMARC configuration is centralized through our internal > DNS. We manually assigned an identical CNAME value across multiple domains, > all pointing to the same TXT record. Every domain applied the policy > successfully except the one on .agency. > > At first, we considered DNS propagation delays. However, policies added to > .agency afterward propagated normally with no delays. > > My assumption is that .agency TLD may have restrictions that interfere > with DMARC enforcement at the domain level. > > We don't have data to compare, as this is our first time working with a > .agency domain. > > We submitted a request to Identity Digital (the registry for .agency) a > few days ago but have not yet received a response. > > Has anyone had issues before with .agency TLD from a DMARC enforcement > standpoint? > > Are you able to share the exact domain name at issue? I went looking for oddness in general and thought I'd stumbled across a wildcard DNS situation: $ host -tTXT _dmarc.foo.agency _dmarc.foo.agency descriptive text "v=spf1 -all" $ host -tTXT _dmarc.alex.agency _dmarc.alex.agency descriptive text "v=spf1 -all" But it seems that it's not quite a wildcard: $ host -tTXT _dmarc.todd.agency Host _dmarc.todd.agency not found: 3(NXDOMAIN) -- Todd
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
