Documentation

Everything you need to set up DMARC monitoring, understand your data, classify your senders, and safely advance to a reject policy.

Getting started

MyDMARC receives, parses, and visualizes the aggregate DMARC reports (RUA) that mailbox providers such as Google, Microsoft, and Yahoo send for your domain. Follow these four steps to start monitoring.

Create an account. Go to /register, enter your name, organization name, email address, and a password, then click Create account. Check your inbox for a verification email and click the link inside it to confirm your address.
Add a domain. After signing in, go to Domains in the sidebar and click Create domain. Enter the domain name (e.g. example.com) and save. MyDMARC will display a unique RUA address for that domain.
Publish your DMARC DNS record. In your DNS provider, create a TXT record at _dmarc.example.com containing the rua= address from the previous step. A safe starting record looks like this:
v=DMARC1; p=none; rua=mailto:<your-rua-address>
p=none means monitor-only — no mail is blocked or moved to spam. This is the recommended starting point because it lets you see your sending landscape before enforcing any policy. DNS changes can take up to 48 hours to propagate globally.
Wait for your first report. Mailbox providers send aggregate reports once every 24 hours. Your Dashboard will populate as soon as the first report arrives. If your domain sends very little mail, it may take a few days before major providers include it in a report.

Your DMARC record

Your DMARC record is a DNS TXT record published at _dmarc.example.com. It tells receiving mail servers what to do with mail that fails authentication, and where to send reports. The record evolves as you gain confidence in your sending infrastructure:

Stage 1 — Monitoring (start here)

v=DMARC1; p=none; rua=mailto:<your-rua-address>

Reports are collected; no mail is affected.

Stage 2 — Partial enforcement

v=DMARC1; p=quarantine; pct=100; rua=mailto:<your-rua-address>

Mail that fails authentication is moved to the recipient's spam folder.

Stage 3 — Full enforcement

v=DMARC1; p=reject; pct=100; rua=mailto:<your-rua-address>

Mail that fails authentication is rejected outright at the receiving server.

Use the Policy page to track when you are ready to advance between stages. See the DMARC tag reference for a full explanation of every available tag.

Dashboard

The Dashboard gives a high-level overview of your DMARC health across all domains. It displays three summary metrics:

Reports received — the total number of aggregate reports collected. Each report covers a 24-hour window and is submitted by one reporting organization (for example, Google submits a separate report for mail it received claiming to be from your domain).
Messages evaluated — the total number of individual email messages counted across all reports. A single report can cover thousands or tens of thousands of messages depending on your sending volume.
Pass rate — the percentage of evaluated messages that passed DMARC authentication. Displayed in green (≥ 95 %), yellow (≥ 80 %), or red (< 80 %).

If you have not yet added a domain, the Dashboard shows a prompt to create one. If a domain exists but no reports have arrived yet, a "Pending first report" notice is displayed instead of the metric cards.

Reports

The Reports page lists every aggregate DMARC report received. Click any row to open the full report detail.

Reports list

Each row in the list shows the following columns:

Date range — the UTC start and end of the reporting period, typically a 24-hour window.
Domain — the policy domain the report covers. This is the visible From address your recipients see in their email client, not necessarily the sending server's domain.
Reporting organization — the mailbox provider that submitted the report (e.g. Google, Microsoft).
Email count — the total number of messages covered by this report.
DMARC pass rate — percentage of messages in this report that passed DMARC, color-coded: green ≥ 95 %, yellow ≥ 80 %, red < 80 %.
DKIM — overall DKIM alignment for this report: green checkmark = all aligned, yellow triangle = mixed results, red ✕ = none aligned.
SPF — same three-state indicator for SPF alignment across the report.

Filtering: If you have multiple domains, a dropdown appears above the list. Choose a specific domain to filter, or leave it on "All domains" to see everything.

Sorting: Click any column header to sort ascending; click the same header again to sort descending.

Report detail

Clicking a report opens a detail view split into two sections: a summary and a records table.

Summary cards

Seven cards across the top of the page provide a snapshot of the report: Domain, Date range, Email count, DMARC pass rate, DKIM summary (All aligned / Mixed / Not aligned), SPF summary (All aligned / Mixed / Not aligned), and Reporting organization.

Records table

Each row represents one sending IP address observed during the reporting period. Columns:

Source IP / Hostname — the IPv4 or IPv6 address that sent the mail, plus its reverse-DNS hostname where one exists.
Count — how many messages came from this IP within this reporting period.
Header from — the domain in the visible From: header. A "Possible forwarding" flag appears when the record shows signs of a forwarding chain that breaks SPF alignment.
DMARC — pass (green) or fail (red). Hover over the icon to see the specific failure reason.
Disposition — the action requested by your DMARC policy for failing mail from this source: none (grey — monitor only), quarantine (yellow — move to spam), or reject (red — block outright). This reflects your policy at the time the report was generated, not what the receiving server may have chosen to do.
DKIM — aligned (green) or not aligned (red). Hover to see every DKIM signing domain, selector, and whether it aligns with the From: domain.
SPF — aligned (green) or not aligned (red). Hover to see the envelope sender domain, the SPF result, and the alignment assessment.

All columns are sortable. Use the pagination controls at the bottom to navigate reports that contain many sending IPs.

Senders

The Senders page lists every authenticated sending identity resolved from your DMARC reports. A sending identity is the domain name tied to a passing authentication result — for example, a message DKIM-signed as mail.example.com or SPF-aligned to example.org. This gives you a named, service-level view of who is sending mail as your domain, rather than raw IP addresses. (Raw IPs grouped by infrastructure domain are shown on the Sources page.)

Classifying your senders is the key step that unlocks the Policy advancement guidance. By marking each sender as Trusted or Untrusted, you give MyDMARC the information it needs to calculate an accurate pass rate for only your legitimate mail — so a bad actor spoofing your domain does not artificially inflate or deflate the score. Complete this page before using Policy.

Columns

Sender — the identity label (e.g. google.com) along with a badge showing how the identity was resolved:
- DKIM — identity comes from the DKIM d= signing domain. The most reliable signal because it is cryptographically bound to the message.
- SPF — identity comes from the envelope sender (MAIL FROM) domain.
- rDNS — identity comes from the reverse-DNS hostname of the sending IP. Used as a fallback when DKIM and SPF identities are unavailable.
- IP — only a raw IP address is available; no domain could be resolved. These senders are hardest to classify and often indicate unconfigured or unrecognized infrastructure.
Trust — your classification of this sender. Click the badge to open a dropdown and select a state (see below).
Total messages — cumulative message count from this sender across all reports.
DMARC pass rate — percentage of this sender's messages that passed DMARC, color-coded green / yellow / red.
Last seen — how long ago this sender last appeared in a report.

Classifying trust

Every sender starts as Unknown. Click the trust badge to open a dropdown, then select the appropriate state:

Unknown (grey) — not yet reviewed. Excluded from policy readiness calculations.
Trusted (green) — a legitimate sender you authorize to use your domain. Its pass rate is included in the policy advancement threshold check.
Untrusted (red) — a sender you do not recognize or do not authorize. Excluded from the trusted pass rate calculation.

Mark all services that legitimately send on your behalf — your own mail servers, transactional email platforms, marketing tools — as Trusted. Mark anything you cannot account for as Untrusted. Leave senders as Unknown only while you are still investigating them.

Policy

The Policy page shows whether each of your domains is ready to advance from p=none to p=quarantine, and from p=quarantine to p=reject.

This feature is available on paid plans. Free plan users will see a prompt to upgrade when visiting this page.

Policy list

The list shows all your domains. Click any row to open the detailed policy view for that domain. Columns:

Domain — the domain name.
Policy — your current DMARC policy, shown as a color-coded badge: p=none, p=quarantine, or p=reject.
Status — MyDMARC's readiness assessment for this domain:
- Fully protected — domain is already at p=reject. No further action needed.
- Ready to advance — all three readiness checks pass. You can safely increase your policy.
- Not yet ready — one or more checks are not yet passing. Open the detail view to see which ones.
- More data needed — fewer than 100 trusted messages have been seen in the last 30 days. Continue collecting reports and check back.
- No trusted senders — no senders have been classified as Trusted yet. Go to the Senders page first.
- Not configured — no active DMARC record with a MyDMARC RUA address has been detected for this domain.
Trusted pass rate — the DMARC pass rate calculated using only your Trusted senders over the last 30 days. Colour-coded green / yellow / red.

Policy detail

The detail view for a domain contains several components:

Progression timeline — a three-step visual indicator showing Monitoring (p=none), Partial enforcement (p=quarantine), and Full enforcement (p=reject). Your current stage is highlighted green and labelled "Current". Completed stages are also filled green; future stages are greyed out.
Readiness checklist — three conditions that must all pass before it is safe to advance your policy. A green tick means the condition is met; a red cross means it is not:
- Trusted sender DMARC pass rate is at or above the required threshold.
- Your record's pct= value is 100, confirming the policy applies to all mail rather than a random sample.
- At least 100 trusted messages have been seen in the last 30 days — a minimum volume threshold to ensure the pass rate is statistically meaningful.
Summary figures — two cards showing your trusted sender pass rate and total trusted message volume over the last 30 days.
Unclassified failure warning — if a significant share of failing mail comes from senders you have not yet reviewed, MyDMARC will flag this. These could be legitimate services you have missed, or they could be forwarded mail that naturally fails SPF alignment. Review the Senders page and the forwarding section in Common issues before advancing.
Suggested DNS record — when all three readiness checks pass, MyDMARC generates the exact TXT record value needed to advance to the next policy level. Click the copy icon to copy it to your clipboard, then update the TXT record at _dmarc.example.com in your DNS provider. MyDMARC does not update your DNS automatically.

Sources

The Sources page shows every IP address observed in your DMARC reports, grouped by the registrable domain of that IP's reverse-DNS hostname (for example, 209.85.220.41 has a hostname of mail-sor-f41.google.com, so it appears under the google.com group).

Sources shows you where mail was sent from at the infrastructure level. The Senders page shows you who sent it based on authenticated identities like DKIM signing domains. Both views are complementary: use Sources to spot unfamiliar infrastructure and Senders to classify and trust your known services.

Source groups list

Source — the registrable domain of the sending infrastructure (e.g. google.com, mailchimp.com).
Unique hosts — count of distinct IP addresses seen within this group.
Total messages — aggregate message count across all IPs in this group and all reports.
DMARC pass rate — color-coded pass rate across the group.
Last seen — how long ago the most recent message from this group was reported.

Click any column header to sort. Click a row to drill into the individual IPs within that group.

Source detail

The detail view lists every individual IP address within the selected source group. Columns:

Source IP — the IPv4 or IPv6 address.
Hostname — reverse-DNS name for this IP, or "No reverse DNS" if none exists.
Header from — the From: header domain observed in messages from this IP.
Total messages — message count attributed to this specific IP.
DMARC pass rate — color-coded pass rate for this IP.
Last seen — how long ago this IP last appeared in a report.

Reporters

The Reporters page lists every organization that has submitted a DMARC aggregate report for your domains. These are almost always large mailbox providers — Google, Microsoft, Yahoo, and others — though some enterprise mail gateways also submit reports.

A reporter appears here only if it processed mail that claimed to be from one of your domains and had a valid DMARC record. Seeing a provider in this list confirms they are receiving and evaluating your domain's mail. It does not mean all senders are covered — providers that process very low volumes of your mail may omit reporting.

Reporting organization — display name of the provider.
Email — the contact address listed in their report metadata.
Reports — total number of reports received from this organization.
Total emails — cumulative message count across all of their reports.
First seen — when the first report from this organization arrived.
Last seen — how long ago their most recent report arrived.

All columns are sortable. If a major provider is absent, verify that your DMARC record is published correctly using the DMARC Checker and that the rua= address is exactly the one MyDMARC provided for that domain.

Domains

The Domains page is where you add and manage the domains being monitored.

Adding a domain

Click Create domain in the top-right corner of the Domains list. If your plan's domain limit has been reached, this button is replaced by an alert explaining the limit — upgrade your plan to add more domains.
Enter the domain name and save.
MyDMARC generates a unique RUA address for this domain. Copy it and add it to your DMARC DNS record's rua= tag as described in Getting started.

Domain list columns

Domain name — the domain name you added.
DMARC status — green "valid" once at least one report has been received successfully; red "parsing error" if a malformed or unreadable report was received; grey pending if no reports have arrived yet.
Last report received — how long ago the most recent report arrived.

Domain detail

Click a domain name to open its detail page. From here you can:

View your RUA address — the unique report-to address that belongs in your DMARC record's rua= tag.
Check DNS — click the Check DNS button to confirm that MyDMARC can read a valid DMARC record for this domain in live DNS.
Delete the domain — permanently removes the domain and all its associated reports and data. This action cannot be undone. A confirmation prompt is shown before deletion proceeds.

Alignment explained

Passing SPF or DKIM alone is not enough for DMARC to pass — the authenticated domain must also align with the domain in the visible From: header. This alignment requirement is the core of what makes DMARC effective against spoofing: without it, an attacker could authenticate their own domain (passing SPF and DKIM) while displaying your domain in the From: address that recipients actually see.

DMARC passes if at least one of the following is true:

SPF alignment — the envelope sender domain (the MAIL FROM address used during the SMTP transaction) matches the From: header domain.
DKIM alignment — the DKIM signing domain (the d= tag in the DKIM-Signature header) matches the From: header domain.

Two alignment modes control how strictly "matching" is enforced, set via adkim= (for DKIM) and aspf= (for SPF):

Mode	Tag value	Rule	Example
Relaxed	r	The organizational (registered) domains must match. Subdomains of the From: domain are permitted.	`mail.example.com` aligns with `example.com` ✓
Strict	s	The domains must match exactly. Subdomains are not permitted.	`mail.example.com` does not align with `example.com` ✗

Relaxed mode (r) is the default and is recommended for most organizations. Strict mode can cause legitimate mail to fail DMARC if your sending infrastructure uses a different subdomain from the one in your From: address.

DMARC tag reference

A DMARC record is a DNS TXT record at _dmarc.example.com. Tags are semicolon-separated key=value pairs. The v= and p= tags are the only required ones; all others are optional.

Tag	Required	Default	Values	Description
v	Yes	—	DMARC1	Version identifier. Must be the first tag in the record and must equal `DMARC1` exactly.
p	Yes	—	none · quarantine · reject	`none` = collect reports only, no enforcement; `quarantine` = move failing mail to spam; `reject` = block failing mail at the receiving server.
sp	No	same as p	none · quarantine · reject	Policy override for subdomains — for example, `p=none; sp=reject` to monitor root domain mail while blocking mail from subdomains you don't use for sending.
rua	Recommended	—	mailto: URI(s)	Where aggregate reports are sent. Set this to the address MyDMARC provides for your domain. Multiple addresses can be separated by commas.
ruf	No	—	mailto: URI(s)	Where forensic (failure) reports are sent. Many large providers no longer send these due to privacy concerns, so this tag has limited practical value today.
adkim	No	r	r · s	DKIM alignment mode. `r` = relaxed; `s` = strict (exact domain match required). Leave as `r` unless you have a specific reason for strict enforcement.
aspf	No	r	r · s	SPF alignment mode. Same relaxed/strict logic as `adkim`, applied to the envelope sender domain instead of the DKIM signing domain.
pct	No	100	1 – 100	Percentage of failing messages the policy is applied to. Setting `pct=10` applies the policy to only 10 % of failures — useful for a cautious rollout. MyDMARC requires `pct=100` before marking you ready to advance policy.
fo	No	0	0 · 1 · d · s	Controls when forensic reports are generated (requires `ruf=`): `0` = both SPF and DKIM fail; `1` = either fails; `d` = DKIM only; `s` = SPF only.
ri	No	86400	integer (seconds)	Requested reporting interval in seconds. Most providers ignore this and send daily reports regardless.

Common issues

Legitimate mail is failing DMARC

The most common cause is a third-party sending service — a marketing platform, CRM, or transactional email provider — that sends on your behalf without DMARC alignment configured. To resolve this, choose one of the following:

Configure DKIM signing in the third-party service using a custom DNS key they provide (usually a CNAME or TXT record at a subdomain of your domain). Once set up, their mail will carry a DKIM signature under your domain, satisfying DKIM alignment.
Add their sending IPs to your SPF record using an include: mechanism or explicit ip4:/ip6: entries. This satisfies SPF alignment if they also use your domain as the envelope sender.
Contact the service's support team and ask for their DMARC alignment documentation — most major platforms have a dedicated guide.

Email forwarding breaks DMARC

When a mailbox forwards a message to another address, the forwarding server changes the envelope sender (MAIL FROM) to its own domain — breaking SPF alignment. If the original message was not DKIM-signed, DMARC will fail for every forwarded copy.

DKIM signatures survive forwarding as long as the message body and headers are not modified by the forwarder. The practical implication is that DKIM is the only reliable authentication mechanism for forwarded mail. Ensure all your legitimate sending infrastructure signs messages with DKIM before advancing to p=reject.

Forwarded failures are flagged with a "Possible forwarding" notice in the Report detail view. These are expected and are not spoofing attempts — but advancing to p=reject while your users rely on forwarding may cause those messages to be rejected at their destination.

SPF exceeds the 10 DNS lookup limit

The SPF specification permits a maximum of 10 DNS lookups during record evaluation. Each include:, a:, and mx: mechanism counts toward this limit — including any nested lookups inside included records. Exceeding the limit produces a permerror result, which is treated as an SPF failure.

Use the SPF Checker to audit your record and count the total lookups. If you are over the limit, work with your DNS provider or an SPF flattening service to consolidate include: chains into direct IP ranges.

No reports arriving

Work through this checklist:

Use the DMARC Checker to confirm your record is published and readable. A record that is missing, has a syntax error, or is published at the wrong hostname will not generate reports.
Verify that the rua= value is exactly the address MyDMARC provided for that domain — even a small typo will mean reports go nowhere.
Allow up to 48 hours for DNS changes to propagate before concluding the record is not being picked up.
Reports are generated by receiving servers, not sending servers. If your domain sends very little mail, major providers may not submit a report until they accumulate enough data.

Pass rate dropped suddenly

A sudden drop almost always means a new, unconfigured sending source has appeared. To identify it:

Go to Reports, sort by date descending, and open the first report where the pass rate dropped. Look for any source IPs you do not recognize.
Go to Sources, sort by Last seen descending, and look for groups that appeared recently with a low pass rate.
Go to Senders and look for new Unknown entries. Investigate whether they are a new legitimate service that was not configured for DMARC alignment, or an unauthorized source.

Free tools

The following tools are available to anyone without an account.

DMARC Checker — Look up the live DMARC record for any domain. Parses and displays each tag, flags configuration problems, and shows the RUA and RUF addresses.
SPF Checker — Fetch and parse the SPF record for any domain. Counts DNS lookups, expands all include: chains, and highlights records that are at or over the 10-lookup limit.
DKIM Checker — Retrieve the DKIM public key for a given domain and selector. Confirms the key is published and shows the key type and bit length.

Ready to get started?

Create a free account and start receiving DMARC reports for your domain in minutes.

Create free account What is DMARC?