How DMARCit works

DMARC monitoring, minus the raw XML

Connect a domain and DMARCit turns the aggregate reports Gmail, Microsoft, and Yahoo already send into named senders, an alignment trend, and one worklist.

Every major mailbox provider that receives mail claiming to be your domain writes a report about it: one XML file per receiver per day, zipped, mailed to whatever address your DMARC record names. Almost nobody reads them, because they arrive as attachments addressed to a mailbox nobody checks, in a format nobody wants to open.

DMARCit is the mailbox, the parser, and the analyst. You publish one DNS record. The reports route to us. You get named senders and next actions instead of XML. This page walks the whole product in the order you'll meet it, from setup to enforcement.

Step 1: Connect a domain

Setup is one DNS record. You add your domain, DMARCit reads its current SPF, DKIM, and DMARC posture from public DNS, and generates the exact TXT value to publish, with a rua= address that routes the reports to us. You paste it at your registrar. The product never writes DNS for you: every record on your domain is one you placed and can see.

After you publish, the product polls DNS until the record propagates, then confirms reporting is live. Most providers send their first aggregate report within 24 to 48 hours. If your domain already has a DMARC record, you keep it; adding a second rua= address alongside an existing one is standard and supported.

Nothing in this step changes how your mail flows. A p=none record is reporting-only: receivers keep delivering exactly as before and start telling you what they see.

Step 2: Reports land on our pipeline

The rua= address you published points at a receiving pipeline built on AWS SES. Each aggregate report that arrives gets unpacked (they come as .zip or .gz attachments), parsed from XML, deduplicated, and normalized into per-source rows: which IP sent mail as your domain, how many messages, and whether they passed SPF and DKIM alignment.

There's nothing to forward, upload, or remember. Once the record is live, ingestion runs continuously. The parsing engine is the same one behind our free report parser, so you can drop a single report into your browser and inspect exactly what we extract before you trust us with the stream.

Step 3: Read the dashboard

The dashboard answers three questions: is your legitimate mail aligned, who is sending as your domain, and what needs attention today.

The alignment trend shows your pass rate over the last 14, 30, and 90 days, with policy-override reasons (forwarded mail, mailing lists) separated out so a forwarder doesn't read as an attack. The per-sender breakdown shows each source's volume and whether it passes SPF alignment, DKIM alignment, or both. The source worklist holds every sender you haven't classified yet: you mark each one legitimate, unauthorized, forwarded, or needs-review. The marks are yours; the product doesn't pretend to know which sender is your CRM.

Alignment rate, last 14 days

Sample data

Alignment rate, 30 days

97.4%

Messages seen, 30 days

41,208

Sources needing review

1

SourceMessagesAlignmentYour mark
Google Workspace28,914SPF + DKIM alignedLegitimate
SendGrid9,730DKIM alignedLegitimate
Unknown VPS (203.0.113.24)312Fails bothNeeds review
The trend chart is the same component the product renders. The live demo has the full dashboard with a month of sample data.

The full dashboard, with a month of sample data for a fictional business, is public at /demo. No signup, nothing connected to a real domain.

Step 4: Alerts when posture changes

Monitoring only works if you don't have to remember to look. DMARCit watches the report stream and your DNS, and notifies you when something changes:

  • A sender you haven't marked shows up in your reports.
  • Alignment drops for a sender you marked legitimate.
  • Your DMARC or SPF record changes, breaks, or disappears.
  • Reports stop arriving, which usually means the record was edited or removed.

Every alert is written in plain English: what changed, which sender, and the next action. We never forward you the XML.

The tools, and where each one fits

Four free tools cover the moments when you need an answer once, without an account. Each maps to a spot in the workflow above.

  • DMARC checker: the first look. Run any domain and see its posture with a prioritized next step. It's the same check the product runs when you connect a domain in Step 1.
  • DMARC generator: starting from nothing. Build a valid TXT record with the policy and reporting addresses handled, the record Step 1 asks you to publish.
  • Report parser: one report, no account. Drop an aggregate report file in your browser and read it parsed, the same way Step 2 does continuously.
  • Bulk check: 25 domains in one screen, built for MSPs triaging a client book before deciding which domains to monitor.

All four live at /tools and stay free.

Where monitoring leads: enforcement

Everything above exists to answer one question with evidence: is it safe to tighten your policy. The alignment rates, source marks, and report history the dashboard collects are exactly what gates each move from p=none to p=quarantine to p=reject. The staged ladder, the readiness checklist, and the rollback plan have their own page: Enforcement readiness.

See it with your data or ours

The trial is free for 7 days and starts with the connect-a-domain flow above; first reports usually arrive within two days. The demo is the same dashboard loaded with a month of sample data, no signup.