Skip to main content

Free DMARC Monitoring Tool

Receive, analyze, and act on your DMARC aggregate reports

You publish a DMARC record, but do you really know what is happening? Legitimate services fail SPF or DKIM alignment. Third parties send mail on behalf of your domain without your consent. Without DMARC monitoring, you are flying blind. CaptainDNS receives your DMARC aggregate reports automatically, analyzes SPF and DKIM authentication results, and shows you exactly who is sending email for your domain, and whether they should be.

Sign in to manage your DMARC monitoring domains

Sign in to manage your DMARC monitoring domains
Intelligent setup wizard

The wizard detects your current DMARC record: no record, existing with rua=, or existing without. It generates the exact TXT record to create or update, preserving your policy (reject, quarantine, none).

Shared domain verification

One TXT record proves domain ownership across all CaptainDNS services: DMARC monitoring, MTA-STS hosting, TLS-RPT monitoring, and BIMI hosting.

SPF/DKIM compliance tracking

Track DMARC compliance scores, SPF and DKIM pass rates, identifier alignment, and applied dispositions by source. Identify misconfigured legitimate senders instantly.

Multi-provider report ingestion

Receive DMARC aggregate reports from Google, Microsoft, Yahoo, Apple, and any DMARC-compliant email provider via HTTPS and email. No restrictions on reporting sources.

Multi-domain management

Monitor DMARC reports for up to 5 domains from a single dashboard. Each domain has its own verified report collector and compliance metrics.

Why monitor DMARC reports?

DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) is the email authentication standard that unifies SPF and DKIM to protect your domain from spoofing and phishing. But publishing a DMARC record is only the first step. Without ongoing monitoring, you don't know:

  • Which sources send mail on behalf of your domain
  • Whether your legitimate email flows pass SPF and DKIM checks with correct alignment
  • Whether unauthorized third parties are exploiting your domain for phishing or spam

Common issues detected through DMARC monitoring:

  • Misconfigured third-party senders: a CRM, newsletter platform, or billing system sends mail for your domain without proper SPF or DKIM alignment. Your emails land in spam or get rejected.
  • Domain spoofing and phishing: malicious actors forge your From address to send phishing emails. Without monitoring, you have no visibility into these attacks.
  • Incomplete email migrations: after switching email providers, the old service continues sending unaligned mail, dragging down your DMARC compliance rate.
  • Shadow IT email services: departments use email services you didn't authorize. DMARC reports reveal these unknown senders.

How DMARC authentication works

DMARC relies on two underlying protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Each authenticates a different aspect of the email:

ProtocolWhat it checksHow it works
SPFEnvelope sender IPThe receiving server checks if the sender's IP is listed in the domain's SPF DNS record
DKIMMessage integrityA cryptographic signature in the email header is verified against a public key in DNS
DMARCIdentifier alignmentVerifies that at least one of SPF or DKIM passes and aligns with the From header domain

The key concept is alignment. SPF and DKIM can both pass, but if neither aligns with the domain in the From header, DMARC still fails. This is the most common source of authentication failures, and the main reason monitoring matters.

DMARC also defines what receiving servers should do when authentication fails: nothing (p=none), quarantine the message (p=quarantine), or reject it (p=reject).

How to set up DMARC monitoring in 3 steps

Step 1: Add your domain and verify ownership

Sign in and register the domain you want to monitor. Add the CaptainDNS verification TXT record to your DNS. This verification system is shared across all CaptainDNS services (MTA-STS hosting, TLS-RPT monitoring, BIMI hosting).

Step 2: Configure your DMARC DNS record

The setup wizard analyzes your current DNS state and proposes the exact record to publish:

  • No existing DMARC record: a complete record is generated with p=none and our rua= address
  • Existing DMARC record: your policy, alignment settings, and existing rua= addresses are preserved; our address is added automatically
  • Invalid existing record: the issue is flagged and a clean replacement is proposed

Just copy the host (_dmarc.yourdomain.com) and value, then paste them into your DNS provider.

Step 3: Reports are received and analyzed automatically

Email providers start sending aggregate reports within 24 to 48 hours. CaptainDNS ingests them, decompresses the XML, analyzes authentication results, and displays the findings in your dashboard: compliance scores, source IPs, pass/fail rates, and applied dispositions.

Understanding DMARC aggregate reports

DMARC aggregate reports (rua) are XML files sent periodically (typically every 24 hours) by email providers like Google, Microsoft, Yahoo, and Apple. They describe authentication results for every source that sent email using your domain during the reporting period.

RUA vs RUF: aggregate reports vs failure reports

DMARC defines two types of reports:

Report typeTagFrequencyContentProvider support
Aggregate (RUA)rua=Daily (typically every 24h)Summarized authentication data per source IPWidely supported by all major providers
Forensic (RUF)ruf=Per-failureIndividual message details including headersVery limited (most providers do not send RUF reports due to privacy concerns)

CaptainDNS focuses on aggregate reports (RUA), which provide the data needed for compliance tracking and source identification. Forensic reports are rarely available in practice.

What does a DMARC aggregate report contain?

FieldDescription
Reporting organizationThe email provider that generated the report (Google, Microsoft, Yahoo, etc.)
Date rangeStart and end timestamps of the reporting window
Published policyYour DMARC policy (none, quarantine, reject) and applied percentages
Results per source IPFor each sending IP: message count, SPF result, DKIM result, alignment status, disposition applied
Header identifiersHeader From domain and domains used for SPF and DKIM evaluation

Example of a DMARC aggregate report

Here is a simplified extract from a DMARC aggregate report in XML format:

<?xml version="1.0" encoding="UTF-8"?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <date_range>
      <begin>1710201600</begin>
      <end>1710288000</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>example.com</domain>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>203.0.113.1</source_ip>
      <count>1547</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <row>
      <source_ip>198.51.100.42</source_ip>
      <count>23</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
  </record>
</feedback>

The first row shows 1,547 messages from a legitimate source passing both checks. The second row reveals 23 messages from an unknown IP failing both SPF and DKIM, a potential spoofing attempt. CaptainDNS parses these reports automatically and presents the data in your dashboard.

DMARC record tag reference

A DMARC TXT record is published at _dmarc.yourdomain.com. Here are the available tags:

TagRequiredExampleDescription
vYesv=DMARC1Protocol version (always DMARC1)
pYesp=nonePolicy for the domain: none, quarantine, or reject
spNosp=rejectPolicy for subdomains (inherits from p if not set)
ruaNorua=mailto:reports@example.comWhere to send aggregate reports
rufNoruf=mailto:forensics@example.comWhere to send failure reports
adkimNoadkim=sDKIM alignment mode: r (relaxed, default) or s (strict)
aspfNoaspf=rSPF alignment mode: r (relaxed, default) or s (strict)
pctNopct=50Percentage of messages subject to the policy (default 100)
foNofo=1Forensic report options: 0 (default), 1, d, s
riNori=86400Reporting interval in seconds (default 86400 = 24h)

Use our DMARC Generator to build a valid record, or the DMARC Syntax Checker to validate an existing one.

From monitoring to enforcement: the path to p=reject

DMARC is most effective at p=reject, where spoofed messages are discarded entirely. But moving directly to reject without monitoring is dangerous: legitimate senders with misconfigured authentication will have their mail blocked.

Recommended progression:

  1. p=none (monitoring only): collect reports for 2 to 4 weeks. Identify all legitimate sources and fix any SPF/DKIM alignment issues. Target: 95%+ compliance rate.

  2. p=quarantine (partial enforcement): failed messages are sent to spam instead of the inbox. Use pct=25 initially, then increase to 50% and 100% over 2 to 4 weeks. Monitor for legitimate mail being quarantined.

  3. p=reject (full enforcement): failed messages are discarded. Domain spoofing is fully blocked. Start with pct=25, then ramp to 100%.

Timeline: Most organizations complete this journey in 4 to 8 weeks. Do not rush. Each stage should confirm that no legitimate email flow is impacted.

Reaching p=reject also unlocks BIMI (Brand Indicators for Message Identification), which displays your brand logo next to your emails in supporting inboxes.

Google and Yahoo DMARC requirements

Since February 2024, Google and Yahoo enforce stricter email authentication requirements for bulk senders (5,000+ messages per day to Gmail or Yahoo addresses):

  • DMARC record required: bulk senders must publish a DMARC record with at least p=none
  • SPF and DKIM required: both protocols must be configured, not just one
  • Alignment required: the From header domain must align with either SPF or DKIM
  • One-click unsubscribe: marketing emails must support RFC 8058 one-click unsubscribe

DMARC monitoring is essential to meet these requirements. Without it, you cannot verify that your email sources pass authentication checks or maintain the required compliance rate. Non-compliant senders risk having their email throttled or rejected by Google and Yahoo.

Common DMARC failures and how to fix them

FailureCauseFix
SPF alignment failsEnvelope sender domain differs from From header domainConfigure the third-party service to use your domain as the envelope sender, or add their sending IPs to your SPF record
DKIM alignment failsDKIM signature uses a different domain than the From headerConfigure DKIM signing with your domain (not the provider's default domain)
SPF exceeds DNS lookup limitSPF record has more than 10 DNS lookupsFlatten your SPF record or remove unused includes. Use our SPF Syntax Checker
Third-party sender fails bothService sends on your behalf without SPF or DKIMAdd the service's IPs to your SPF record and configure DKIM signing
Subdomain spoofingAttackers use subdomains you haven't protectedAdd sp=reject to your DMARC record to apply the reject policy to all subdomains
Forwarded mail failsMail forwarding breaks SPF; DKIM survives if the body is unchangedEnsure DKIM is configured, it survives forwarding. Consider ARC (Authenticated Received Chain) support

Real-world use cases

Case 1: Identifying a misconfigured third-party service

Symptom: DMARC compliance rate drops from 98% to 72% over one week.

Diagnosis: The dashboard shows a new source IP sending significant volume without DKIM alignment. It turns out to be the new marketing CRM, configured without a DKIM signature for your domain.

Action: Configure DKIM signing in the CRM. Compliance rate recovers in subsequent reports.

Case 2: Detecting domain spoofing

Symptom: Unknown source IPs appear in the reports, sending mail on behalf of your domain with complete SPF and DKIM failure.

Diagnosis: DMARC reports reveal phishing attempts from servers in suspicious jurisdictions. Your p=none policy lets these messages through.

Action: Progressively move your policy from p=none to p=quarantine then p=reject. Subsequent reports confirm fraudulent messages are being rejected.

Case 3: Meeting Google bulk sender requirements

Symptom: Gmail starts deferring your marketing emails with temporary 4xx errors. Delivery rates drop.

Diagnosis: DMARC monitoring shows that your newsletter platform sends mail without DKIM alignment to the From header domain. Google's bulk sender policy requires authentication compliance.

Action: Configure DKIM signing for your domain in the newsletter platform and verify alignment through DMARC reports. Delivery rates return to normal within days.

FAQ - Frequently asked questions

Q: What is DMARC monitoring?

A: DMARC monitoring means receiving and analyzing the aggregate reports (rua) sent by email providers. These reports show which sources send mail on behalf of your domain and whether they pass SPF and DKIM checks with correct alignment.

Q: What is the difference between DMARC aggregate reports (RUA) and failure reports (RUF)?

A: Aggregate reports (rua) are sent daily and contain summarized authentication data per source IP. Failure reports (ruf) are sent for individual message failures and contain more detail including message headers. Most providers only send aggregate reports. CaptainDNS focuses on aggregate report analysis.

Q: How does DMARC work with SPF and DKIM?

A: DMARC builds on SPF and DKIM by adding identifier alignment. SPF validates the envelope sender IP, DKIM validates a cryptographic signature, and DMARC checks that at least one passes with alignment to the From header domain. Monitoring reveals when alignment fails.

Q: What DMARC policy should I start with?

A: Start with p=none to monitor without affecting mail delivery. Once your DMARC compliance rate is consistently above 95%, move to p=quarantine. After confirming no legitimate mail is impacted, set p=reject for full spoofing protection.

Q: How do I set up DMARC monitoring?

A: Add your domain in CaptainDNS, verify ownership via the TXT record, then follow the setup wizard that detects your current DMARC record and proposes the exact update needed. Reports start arriving within 24 to 48 hours.

Q: Is DMARC monitoring free with CaptainDNS?

A: Yes, completely free for up to 5 domains. No hidden fees, no trial period. Every domain should be able to monitor its DMARC aggregate reports regardless of budget.

Q: Do Google and Yahoo require DMARC?

A: Yes. Since February 2024, Google and Yahoo require bulk senders (5,000+ messages per day) to publish a DMARC record. Monitoring helps you meet and maintain these requirements by tracking authentication compliance.

Q: What happens if I set my DMARC policy to reject?

A: With p=reject, receiving servers discard messages that fail both SPF and DKIM alignment. This fully prevents domain spoofing but can block legitimate mail if third-party senders are not properly configured. Always monitor first with p=none.

Q: How long does it take to receive DMARC reports?

A: Most email providers send aggregate reports every 24 hours. After publishing your rua= address, expect the first reports within 24 to 48 hours depending on your email volume.

Q: What is the relationship between DMARC monitoring and a DMARC record?

A: The DMARC record defines your authentication policy (none, quarantine, reject) and the rua= tag specifies where to send reports. DMARC monitoring analyzes those reports to show you who is using your domain and whether authentication is working correctly.

Complementary tools

ToolPurpose
DMARC Record CheckCheck your domain's DMARC DNS record
DMARC GeneratorGenerate a DMARC DNS record
DMARC Syntax CheckValidate DMARC record syntax
SPF Record CheckCheck your SPF DNS record
DKIM Record CheckCheck your DKIM DNS record
MTA-STS HostingHost your MTA-STS policy for free
TLS-RPT MonitoringMonitor SMTP TLS reports
BIMI HostingHost your BIMI logo and certificate for free

Useful resources