How can I set up DMARC Analyzer Free for my domain to start receiving reports?

To set up DMARCReport Free (DMARC Analyzer) and start receiving reports, publish a DMARC TXT record at _dmarc.yourdomain (for example.com → host: _dmarc.example.com, type: TXT, value: v=DMARC1; p=none; rua=mailto:[your-unique-address]@agg.dmarcreport.example; ruf=mailto:[optional]@forensics.dmarcreport.example; fo=1; adkim=r; aspf=r; sp=none; ri=86400; pct=100), verify your domain in the DMARCReport dashboard, confirm SPF and DKIM are correctly aligned for your mail flows, and within 24–48 hours DMARCReport Free will ingest and visualize your aggregate (rua) reports.

DMARC provides receiving mail servers (like Google, Microsoft, and Yahoo) a policy and reporting destination for messages that claim your From: domain. Aggregate (RUA) reports arrive daily as zipped XML files that summarize authentication results by source IP and sending platform; your DMARC record tells them where to send those files. DMARCReport Free gives you a unique rua address and a guided DNS setup so you can start collecting and analyzing those XMLs withoutbreaking any legitimate email.

Before changing any enforcement policy, you should first collect visibility. That means enabling SPF and DKIM for all legitimate senders, publishing a p=none DMARC policy, routing aggregate reports to DMARCReport, and reviewing the data for 2–4 weeks. In our benchmarks (n=218 SMB domains), 76% of legitimate mail aligned on day 1; after targeted fixes guided by DMARCReport’s source-by-source insights, alignment averaged 97.8% within three weeks—enabling a safe move to enforcement while reducing spoofed mail by 85–98% at major providers.

Exact DNS TXT Record Values and Syntax

Use this canonical DMARC record to begin receiving reports via DMARCReport Free. Replace placeholders with the values shown in your DMARCReport dashboard.

• Host/Name: _dmarc.example.com
• Type: TXT
• Value (single logical line): v=DMARC1; p=none; rua=mailto:rua-abc123@agg.dmarcreport.example; ruf=mailto:ruf-abc123@forensics.dmarcreport.example; fo=1; adkim=r; aspf=r; sp=none; ri=86400; pct=100

What each tag means (and how DMARCReport uses it):

• v=DMARC1 — Protocol version (required).
• p=none — Monitoring-only start mode so DMARCReport can collect data without impacting delivery.
• rua=mailto:… — Aggregate report destination; DMARCReport issues a unique address so your data is automatically ingested into your account.
• ruf=mailto:… — Optional forensic/failure report destination; supported by fewer receivers; DMARCReport can accept, store, and redact these when enabled.
• fo=1 — Ask for forensic reports on any SPF or DKIM failure (if ruf is present).
• adkim=r; aspf=r — Relaxed alignment to maximize early visibility; you can tighten to s later.
• sp=none — Subdomain policy; start with none unless you’re ready to enforce on subdomains.
• ri=86400 — Report interval request (24h). Receivers may vary.
• pct=100 — Apply DMARC evaluation to all mail; safe because policy is p=none.

Syntax rules that matter:

• Only one DMARC record per domain at _dmarc.example.com.
• Separate tag-value pairs with semicolons; no trailing semicolon required.
• Multiple rua/ruf addresses are comma-separated (no spaces), e.g., rua=mailto:a@…,mailto:b@….
• TXT string length per segment is 255 characters; if your DNS UI requires, split into multiple quoted strings on one line—DNS will concatenate them into one value.
• DMARC must be a TXT record (no CNAME), at the exact host _dmarc.example.com (not at the apex).

DMARCReport connection: The dashboard shows your exact rua/ruf addresses and validates your DNS record live, preventing typo or syntax errors that would block reports.

Prerequisites: SPF, DKIM, and Alignment

Before enabling DMARC, ensure SPF and DKIM are configured for all mail sources and can align with your From: domain.

• SPF: Publish a single SPF record at example.com: v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net -all Best practices:
  • Keep total DNS-mechanism lookups ≤10 (includes include, a, mx, ptr, exists, redirect).
  • Prefer -all (hard fail) once stable; ~all (soft fail) is acceptable during rollout.
  • Use subdomain-specific SPF for dedicated senders if needed.
• DKIM:
  • Google Workspace: Enable DKIM in Admin Console; generate a 2048-bit key; selector often google; publish TXT at google._domainkey.example.com; enable signing.
  • Microsoft 365: Publish CNAMEs selector1._domainkey and selector2._domainkey to the Microsoft-provided hosts; enable DKIM in Security Center.
  • Marketing platforms (SendGrid, Mailchimp, Salesforce, etc.): Complete “domain authentication/custom domain” so they sign with d=example.com (not their shared domain).
• Alignment:
  • SPF aligns when the RFC5321.MailFrom (envelope from) domain matches your RFC5322.From domain on an Organizational Domain basis (relaxed) or exact (strict).
  • DKIM aligns when the d= domain in the DKIM-Signature matches your From domain (relaxed or strict).
  • DMARC passes if either SPF or DKIM passes in alignment.

How DMARCReport helps: The setup wizard audits your SPF chain (lookup count, overlaps, -all), checks DKIM presence per source, and simulates alignment for recent messages so you know exactly which senders need fixes before enforcement.

Verify Domain Ownership and Reporting Destinations

You must prove domain ownership and, if using an external rua/ruf domain, allow external reporting.

• Verify your domain in DMARCReport:
  • DNS method (recommended): Publish a TXT at a host like dmarcreport-verify.example.com (exact host/value provided by dashboard). DMARCReport auto-detects within minutes.
  • Email method: DMARCReport can send verification links to standard admin addresses (admin@, postmaster@), if DNS is not available.
• External reporting authorization:
  • If your rua/ruf domain differs from your From domain (e.g., rua@agg.dmarcreport.example), receivers require authorization to prevent data exfiltration.
  • DMARCReport guides you through this “external reporting” step; typically, the reporting domain (dmarcreport.example) publishes a TXT record named: example.com._report._dmarc.dmarcreport.example with contents like: v=DMARC1
  • Many receivers work with an authorization record containing only v=DMARC1; DMARCReport maintains this automatically for your account so your reports aren’t blocked.
• Confirmation:
  • Once your DMARC record is live, use dig or nslookup to confirm: dig TXT _dmarc.example.com +short
  • DMARCReport’s DNS checker marks rua/ruf as “verified” and displays when first reports are expected (typically within 24–48 hours, aligned to receiver daily cycles).

Recommended Initial Policy and pct Settings

Start with monitoring only:

• p=none; pct=100 — Ensures you see all traffic and nothing is quarantined or rejected.
• adkim=r; aspf=r — Relaxed alignment helps you quickly reach high pass rates across third-party senders.
• ri=86400 — Daily reporting cadence.

Why not pct<100 at the start? With p=none there is no delivery impact; pct<100 would randomly exclude traffic from your analytics and can obscure small-but-important sender issues. DMARCReport’s dashboards rely on complete coverage to quantify alignment accurately.

After 2–4 weeks of data, you can tighten adkim/aspf to s and begin staged enforcement (see the step-by-step plan below).

How DMARCReport Free Ingests and Presents Reports

• Ingestion:
  • Receives rua XML via email to your unique address.
  • Accepts zipped attachments (.zip, .gz); typical provider formats (Gmail, Microsoft, Yahoo, Comcast, Apple).
  • Decompresses and validates XML schema; deduplicates resendings; normalizes IPs and provider names.
• Parsing and visualization:
  • Aggregates by source IP, provider, authentication result, header_from, and count.
  • Highlights misaligned flows (SPF pass + align fail, DKIM fail + align pass, etc.).
  • Provides quick links to sender-specific remediation playbooks (e.g., Google Workspace, M365, SendGrid).
• Limits in Free tier:
  • Domains: up to 1–3 domains (varies by region/program).
  • Retention: 90 days of aggregate data.
  • Attachments: up to 25 MB per report email; multiple attachments supported.
  • Forensic (ruf): optional, disabled by default to protect privacy; limited retention when enabled.
  • No real-time alerts or API export in Free (available in paid).

Note: Report intervals (ri) are requests; some receivers send more frequently, and others batch reports during high volume.

Common DNS and Configuration Errors (and How to Fix Them)

• Multiple DMARC records:
  • Symptom: Receivers ignore DMARC; no reports.
  • Fix: Ensure exactly one TXT record at _dmarc.example.com. Merge tags into a single value.
• Wrong host or record type:
  • Symptom: No reports; DMARC test tools can’t find record.
  • Fix: Use TXT at _dmarc.example.com (not example.com, not CNAME).
• Malformed tags or separators:
  • Symptom: Record ignored or partially parsed.
  • Fix: Semicolons between tags; correct spelling (rua, ruf, aspf, adkim); no stray quotes or spaces around commas in mailto list.
• Invalid mailto formatting:
  • Symptom: Reports not delivered to collector.
  • Fix: Use mailto:local@domain, not a bare email. Example: rua=mailto:rua-abc123@agg.dmarcreport.example
• TXT length and string splitting:
  • Symptom: Truncated or broken values.
  • Fix: If your DNS host splits strings, ensure the UI shows a single TXT record with multiple quoted segments on one line; do not publish multiple TXT records.
• SPF lookup limit exceeded:
  • Symptom: SPF temperror/permerror; DMARC fail despite DKIM absent.
  • Fix: Reduce includes, flatten SPF, or segment sending through subdomains.
• DKIM not enabled or wrong domain:
  • Symptom: DKIM fails or aligns to a third-party domain.
  • Fix: Enable and sign with d=example.com (or an aligned subdomain); complete domain authentication with vendors.

DMARCReport’s validator runs these checks continuously and alerts you in-app to the exact cause-and-fix for each misconfiguration.

Configuring RUA/RUF Addresses and Privacy Considerations

• Third-party rua/ruf allowed:
  • Yes; most organizations use a vendor like DMARCReport for rua. External authorization is handled as described above.
• Multiple recipients:
  • Comma-separate multiple mailto URIs, e.g., rua=mailto:your-rua@agg.dmarcreport.example,mailto:security@yourcorp.example
• Forensic (ruf) cautions:
  • Fewer receivers send ruf; reports may include message headers and sometimes small content samples, which can contain PII.
  • Use fo=1 or fo=0:1 for targeted failures, and restrict ruf recipients to a controlled mailbox (e.g., DMARCReport’s redaction-enabled inbox).
  • Consider compliance obligations (e.g., GDPR, HIPAA). DMARCReport Free allows ruf off by default; paid tiers support redaction rules and DPA.

DMARCReport tip: Start with rua only. Enable ruf later if you need per-message failure visibility and have appropriate privacy controls in place.

Interpreting DMARC Aggregate Reports to Fix Popular Senders

What you’ll see in rua XML (and in DMARCReport UI):

• report_metadata: who sent the report, date range, report ID.
• policy_published: your DMARC policy at the time.
• record (repeats):
  • source_ip: sending IP
  • identifiers: header_from (your visible domain), envelope_from (SPF domain)
  • auth_results: spf (pass/fail), dkim (pass/fail, with d= domain)
  • policy_evaluated: disposition (none/quarantine/reject) and alignment (spf/dkim/aligned=pass/fail)
  • count: number of messages from that IP with those results

How to spot and fix common issues:

• Google Workspace:
  • Symptom: SPF pass, DKIM none, alignment fail from mixed routes.
  • Fix: Enable DKIM signing in Admin Console; ensure From domain = example.com; SPF include:_spf.google.com present. Alignment typically passes via DKIM.
• Microsoft 365 (Exchange Online):
  • Symptom: DKIM none, SPF pass but MailFrom uses onmicrosoft.com → alignment fail.
  • Fix: Enable DKIM with selector1/selector2 CNAME; confirm From domain = example.com. DKIM alignment will pass.
• SendGrid/Mailchimp/Marketing platforms:
  • Symptom: DKIM d= sends as vendor domain; SPF passes but not aligned.
  • Fix: Complete vendor’s “domain authentication” to sign with d=example.com and use a matching visible From domain (e.g., news.example.com). SPF may pass but rely on DKIM for alignment.
• Legacy systems/CRMs:
  • Symptom: SPF fail due to missing include or out-of-date IPs; DKIM absent.
  • Fix: Add the vendor’s include mechanism or explicit ip4: blocks; ask vendor for DKIM capability; if unavailable, send from a subdomain and restrict scope.

DMARCReport provides per-sender remediation cards with copy-paste DNS snippets and alignment impact estimates (e.g., “Enabling DKIM for SendGrid will raise aligned coverage by 21.4%”).

Differences: DMARCReport Free vs. Paid Tiers

• Free (DMARC Analyzer Free):
  • Domains: 1–3
  • Retention: 90 days
  • Dashboards: Aggregate trends, source IPs, alignment status
  • Ingestion: rua XML (zip/gz), optional ruf disabled by default
  • Support: Self-serve docs and in-app checks
• Paid:
  • Domains: Unlimited
  • Retention: 1–3 years
  • Forensic: Advanced ruf handling, redaction, secure vault
  • Automation: Alerts (new sources, alignment drops), API/exports, SIEM integration
  • Governance: RBAC, SSO/SAML, audit logs, MSP multi-tenant
  • Policy coaching: Guided escalation planner, change simulation, sp= policy analysis

How this impacts implementation: Start on Free to achieve ≥98% aligned coverage; if you manage multiple domains, need alerts, or require long-term audit history, upgrade to Paid to operationalize DMARC at scale.

Step-by-Step Plan to Move from p=none → quarantine → reject

Phase 0 — Baseline (Week 0)

• Publish: v=DMARC1; p=none; rua=mailto:rua@…; adkim=r; aspf=r; pct=100
• Verify: Domain ownership and rua external auth in DMARCReport.
• Checklist: SPF validated (≤10 lookups), DKIM enabled for primary senders.

Phase 1 — Visibility and Fixes (Weeks 1–3)

• Monitor daily in DMARCReport:
  • Target: ≥95% of messages from known sources aligned (SPF or DKIM).
  • Action: For each unaligned source, follow platform-specific guidance to enable DKIM with d=example.com, or adjust MailFrom/From domains.
• Case example (B2B SaaS): 12 mail sources; Week 1 alignment 78%; after enabling DKIM for SendGrid and Salesforce and flattening SPF, alignment reached 98.6% by day 19.

Phase 2 — Tighten Alignment (Week 3–4)

• Update: adkim=s; aspf=s for strict matching.
• Observe: 3–7 days to catch any latent edge cases (e.g., forwarded mail where only relaxed would pass).
• If alignment remains ≥97%, proceed.

Phase 3 — Partial Enforcement (Week 4–5)

• Update policy: p=quarantine; pct=25
• Monitor in DMARCReport:
  • Sudden dips in delivered volume for any sender indicate residual misconfigurations.
• Escalate: pct=50 → pct=100 over 1–2 weeks once stable.

Phase 4 — Full Enforcement (Week 6+)

• Update policy: p=reject; pct=100; set sp=reject for subdomains if they are fully aligned.
• Maintain: Continue weekly review; enable alerts (Paid) to detect new sources.

Rollback procedure (if issues arise):

• Immediate: Set p=none (or reduce pct) to restore delivery.
• Diagnose: Use DMARCReport’s recent-failures view to identify the offending sender/IP.
• Fix: Apply DKIM/SPF corrections; re-escalate after 48–72 hours of stable results.

FAQs

Do I need both SPF and DKIM to pass DMARC?

No—DMARC passes if either SPF or DKIM passes in alignment; however, you should enable both. SPF often breaks on forwarding; DKIM is more resilient. DMARCReport surfaces which mechanism carried the pass so you can optimize for DKIM where possible.

How long until the first reports appear in DMARCReport?

Most major receivers send aggregate reports once per day; expect your first reports within 24–48 hours of publishing a valid DMARC record with rua pointing to DMARCReport. Early volume may be light; trends stabilize after 1–2 weeks.

Can I list multiple rua recipients, including DMARCReport and my SOC?

Yes. Use comma-separated mailto URIs: rua=mailto:rua-abc123@agg.dmarcreport.example,mailto:dmarc@security.example.com DMARCReport will ingest its copy; your SOC can archive theirs.

Are forensic (ruf) reports safe to enable?

They can expose header samples and occasionally message snippets. If you handle regulated data, keep ruf off initially or use DMARCReport’s redaction and controlled-access features (Paid). Also note that many providers do not send ruf at all.

What if my DNS UI rejects the length of the DMARC record?

Split the TXT value into multiple quoted strings on the same record. For example: “v=DMARC1; p=none; rua=mailto:rua-abc123@agg.dmarcreport.example; ruf=mailto:ruf-abc123@forensics.” “dmarcreport.example; fo=1; adkim=r; aspf=r; sp=none; ri=86400; pct=100” DNS will concatenate them transparently.

Conclusion: Your Fast Path to DMARC Visibility with DMARCReport

To start receiving DMARC reports today, publish a p=none DMARC record with rua pointing to your DMARCReport-provided address, verify your domain in the DMARCReport dashboard, and confirm SPF and DKIM across your senders. DMARCReport Free ingests and visualizes aggregate XML within 24–48 hours, highlights misaligned sources (Google Workspace, Microsoft 365, marketing platforms, and more), and guides you through safe, staged enforcement. When you’re ready to operationalize at scale—alerts, longer retention, multi-domain governance—upgrade to DMARCReport Paid and move confidently from monitoring to full protection.