Everything you need to get started with OnlyDMARC and understand the DMARC ecosystem.
Get from zero to monitoring in under 10 minutes. Here's the full setup process.
Sign up at onlydmarc.com/signup. No credit card required for the 14-day trial. After signing up, add your first domain from the dashboard.
Once you've added a domain, we'll generate a unique email address for receiving DMARC aggregate reports. It will look like:
Add or update your DMARC DNS TXT record on _dmarc.yourdomain.com. If you don't have a DMARC record yet, start with p=none to monitor without affecting mail flow.
After updating your DNS, verify the record is live using the check tool in your dashboard, or run a DNS lookup:
Mailbox providers send aggregate reports once per day, typically overnight. You'll start seeing data within 24–48 hours. Google and Microsoft are usually first, followed by Yahoo and the rest.
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It tells mailbox providers what to do with messages that fail authentication, and where to send reports.
| Tag | Required | Description |
|---|---|---|
v=DMARC1 |
Yes | Protocol version identifier. Always DMARC1. |
p= |
Yes | Policy: none, quarantine, or reject. |
rua= |
Recommended | Aggregate report destination (your OnlyDMARC address). |
pct= |
No | Percentage of messages subject to policy (default 100). |
adkim= |
No | DKIM alignment mode: r (relaxed, default) or s (strict). |
aspf= |
No | SPF alignment mode: r (relaxed, default) or s (strict). |
sp= |
No | Subdomain policy. Inherits from p= if omitted. |
The OnlyDMARC REST API gives programmatic access to all your DMARC data. It's available on Professional and Enterprise plans.
All API requests must include your API token in the Authorization header:
OnlyDMARC includes a Model Context Protocol (MCP) server, allowing AI assistants like Claude to query your DMARC data directly.
MCP is an open standard that lets AI tools connect to external services. With the OnlyDMARC MCP server, you can ask questions like "What unknown sources are sending from example.com?" or "Show me all DMARC failures in the last 7 days" directly in your AI assistant.
A compact reference for the DMARC terms most often used in onboarding and support content.
| Term | Definition |
|---|---|
| DMARC | A DNS-published policy that ties SPF and DKIM to the visible From domain and adds reporting and enforcement instructions. Stands for Domain-based Message Authentication, Reporting and Conformance. |
| SPF | A DNS record listing the servers or IP addresses authorised to send email for a domain. Stands for Sender Policy Framework. |
| DKIM | A cryptographic signature attached to email headers, used to verify message integrity and sender authenticity. Stands for DomainKeys Identified Mail. |
| Alignment | The requirement that the SPF or DKIM authenticated domain matches the visible From domain. Alignment is what makes DMARC meaningful — without it, passing SPF or DKIM alone doesn't prevent spoofing. |
| RUA | Aggregate report destination. The email address where mailbox providers send daily XML DMARC aggregate reports. Set via the rua= tag in your DMARC record. |
| RUF | Failure-report destination for message-level forensic reports, where supported. These contain more detail but are sent by fewer providers due to privacy concerns. |
p=none |
Monitoring-only DMARC policy. Messages that fail authentication are not affected — they're delivered normally. Reports are still sent, giving you visibility without any risk to mail flow. The recommended starting point. |
p=quarantine |
Policy asking receivers to treat failures as suspicious, typically routing them to the spam/junk folder rather than the inbox. An intermediate step between monitoring and full enforcement. |
p=reject |
Policy asking receivers to block and discard messages that fail DMARC authentication outright. Full enforcement. Required by PCI DSS v4.0 and UK government policy. |
| BIMI | Brand Indicators for Message Identification. A standard allowing verified brand logos to appear next to email in supported inboxes (e.g. Gmail) when DMARC is enforced at p=quarantine or higher. |
| Relaxed alignment | The default alignment mode (adkim=r, aspf=r). Allows the authenticated domain to be a parent of the From domain (e.g. subdomain passes if the root domain matches). |
| Strict alignment | Strict alignment mode (adkim=s, aspf=s). The authenticated domain must exactly match the From domain. More secure, but can cause issues with subdomains. |
| pct= | The percentage of failing messages that the DMARC policy should be applied to. Useful for gradual rollout: start with pct=5 and increase as you gain confidence. Defaults to 100. |
| Disposition | The action taken on a message based on DMARC evaluation: none, quarantine, or reject. OnlyDMARC surfaces disposition in each source row. |
| HELO/EHLO | The hostname a mail server announces during the SMTP handshake. Used as one input in SPF evaluation and shown in DMARC reports as an additional signal for identifying sending infrastructure. |
| Envelope-from | The sender address used in the SMTP envelope (also called the Return-Path or bounce address). Used by SPF for authentication. Different from the visible From header. |
| Header-from | The visible From address shown to email recipients. This is the domain DMARC alignment is evaluated against. The most important domain from a spoofing perspective. |
| MCP | Model Context Protocol. An open standard for connecting AI assistants to external tools and services. OnlyDMARC's MCP server enables AI-assisted DMARC investigation. |
Example DMARC records for common scenarios.
DMARC defines three policy levels, each progressively stronger.
p=none
No action taken on failing messages. All mail delivered normally. Reports sent to your RUA address. Use this to understand your sending landscape before enforcing.
p=quarantine
Failing messages are treated as suspicious. Most receivers route them to spam/junk. A useful intermediate step while you're still resolving unknown senders.
p=reject
Failing messages are outright rejected and not delivered. The strongest protection against spoofing. Required by PCI DSS v4.0 and UK government policy.
14-day free trial. No credit card required. Up and running in minutes.