DMARC Analyzer

Enter your domain to start the DMARC setup

This setup guide will guide you through the process of creating your own DMARC DNS record. A DMARC record is the core of each DMARC deployment project, here you define the DMARC record rule sets. After placing the DMARC record into your DNS record you will start collecting valuable DMARC data. With this data you will gain insight in your email channel(s). By using this data you can gain a better understanding of your mail streams, ensure that the various IPs sending email claiming to come from your domain are indeed legitimate, configure them properly with DKIM or add them to their SPF range. Then you can start validating policies for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). All three policies together will get you a stronger email authentication mechanism.


Let's start with generating a DMARC record for your domain.

Enter the domain you want to manage and we will guide you through the steps to protect it.

Create your own DMARC record

Domain:

In this step we are going to define the rule sets of your DMARC record. The DMARC record tells ISP's who adopted DMARC how they should handle your emails and optionally where to send the DMARC reports.

Select the policy level of your DMARC project

A DMARC Policy tells email receivers like Microsoft (Hotmail, Live, Outlook etc), Gmail, Yahoo! and other Internet Service Providers who adopted DMARC how to handle email that fails the DMARC check. In other words: a DMARC policy influences the way email is handled. There are three DMARC policies which you can add to your DMARC record. Depending on the DMARC policy, emails that fail the DMARC check will be handled differently. There are three policies to choose from: p=none, p=quarantine or p=reject. We recommended to start off with the monitor policy (p=none).

With the DMARC policy none, Internet Service Providers who've DMARC will not do anything with email that fails the DMARC check. The email just goes into the inbox / folder of the receiver. This DMARC policy can be used to simply start analyzing who is sending emails on behalf of a domain.

Would you like to use a different policy for your subdomains?

Next to the DMARC policy you've just selected for the main domain, you can choose a DMARC policy for your sub-domains. When you use sub-domains you will have to select a DMARC policy that will be applied on email that is send from sub-domains. This policy will be applied on email from the sub-domain(s) of your main domain. When an email of the sub-domain fails the DMARC check, this policy will be applied.

advanced options

Alignment mode

Since alignment is a key part of the DMARC implementation (without alignment you can't enforce your policy), it is possible to choose how alignment should be handled for DKIM signatures and your SPF setup. The chosen alignment mode influences when alignment is achieved. You can choose to set the alignment mode to 'r' (Relaxed) or 's' (Strict).

DKIM alignment mode

For DKIM this means that the domain used to create the signature (and provided through the d= parameter), should match the ‘From' header. In Relaxed mode authenticated DKIM signing domains (d=) that share an organizational domain with an emails ‘From' domain will pass the DMARC check. In strict mode an exact match is required in order to achieve alignment.

SPF alignment mode

For SPF this means that the ‘Return-Path' header should match the ‘From' header. In Relaxed mode authenticated SPF domains that share an organizational domain with an emails ‘From' domain will pass the DMARC check. In strict mode an exact match is required in order to achieve alignment.

Aggregate report email

With the rua tag you can decide where the DMARC aggregate reports are sent to.

Forensic feedback email

With the ruf tag you can decide where the DMARC forensic reports are sent to.

Determine the policy percentage

The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing emails. 'pct=50' will instruct receivers to only apply the policy for 50% of the emails that fail the DMARC check. NOTE: this will not work for the 'none' policy, but only for the 'quarantine' or 'reject' policies.

100

% of the messages will be filtered. The policy percentage can be a number form 1 to 100. Default is 100 which is all messages.
Forensic options

The last option is to choose in which case you want to receive forensic reports. Please select one of the following options:

Publish your DMARC record into your DNS

Domain:

In order to start collecting DMARC data, you will need to publish your DMARC record it into your DNS. This way you will start receiving DMARC reports.

To start collecting DMARC data you need to publish the following DMARC record into your DNS record:


We have some setup guides based on frequently used registrars. Please select a registrar below to open the guide click here to view our default guide.


Selector Type Value / Data / Points to
_dmarc TXT

Copy DNS txt record

Click here for more information about how to publish a DMARC record.

p = none Monitoring only mode, this policy has no effect on email delivery. However you will receive the DMARC data from ISPs.

Multiple domains?

If you have multiple domains which you would like to analyze, simply add this DNS record to those domains.

You have successfully set up your own DMARC record!

Now that you have set up your DMARC record it should take effect soon. ISPs may cache the results of the DNS records for up to 72 hours.
This depends on the TTL of your DNS records). So be sure to use our DMARC checker to validate your record.

DMARC record Checker

Use the DMARC record checker in order to check your DMARC record. The DMARC record checker will tell you when there is something wrong with your DMARC record and how to fix the problem:


Please use our DKIM and SPF validators in order to check the policies for SPF and DKIM.
Your organization will have a stronger email authentication mechanism in place by implementing all three policies (DMARC, SPF and DKIM).