FAQ · dmarc-record.de

Frequently asked questions about DMARC.

Direct answers to the questions we're asked most often, about DMARC, monitoring, the Taskforce and GDPR-compliant data storage.

01

Basics.

What DMARC is, how it works together with SPF and DKIM, and what the policy levels mean.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is an email authentication protocol that defines what happens to emails that claim to come from your domain but cannot be proven to. DMARC builds on SPF and DKIM and adds a policy layer: deliver, move to spam or reject.

Detailed explanation: What is DMARC?

The three DMARC policy levels define what happens to non-authenticated emails. p=none means: nothing is blocked, you only get reports. p=quarantine means: suspicious emails land in the spam folder. p=reject means: suspicious emails are fully rejected and never arrive. p=reject is the protection goal, but the path there requires preparation.

The three policy levels explained

Yes, and ideally both. DMARC needs at least one of the two mechanisms (SPF or DKIM) configured correctly and aligned with your sender domain. The recommendation is still to set up both: DKIM survives forwarding, SPF works independently of the mail content. In practice this means: setting up DMARC is the first step, but all sending systems must be correctly aligned in either SPF or DKIM.

SPF, DKIM and DMARC: the interplay

Delivery rate describes the share of sent emails that actually reach the recipient, split into two levels. Technical delivery: Whether the email reaches the recipient's mail server at all; it can fail, for example, due to blacklisting or p=reject. Inbox placement: Whether the email lands in the inbox and not in spam; the mailbox provider decides this based on the domain's sender reputation. DMARC primarily affects technical delivery. Inbox placement improves over the long term through a clean, consistent DMARC configuration, but DMARC is not a spam filter.

Analyze delivery problems: check DMARC record

Indirectly yes, but not directly. DMARC ensures that legitimate emails which correctly pass SPF and DKIM are not wrongly rejected. Whether an email lands in the inbox or in spam is decided by the mailbox provider based on sender reputation, which is positively influenced by a long-term clean DMARC configuration. Anyone with poor inbox placement rates after setting up DMARC usually has a reputation problem that exists independently of DMARC.

Analyze delivery problems: check DMARC record

Alignment means that the domain in the Fromheader of an email matches the domain authenticated by SPF or DKIM. Only when this alignment is correct does an email count as DMARC-compliant. There are two modes: relaxed (subdomains are allowed) and strict (exact match required). Alignment is the heart of DMARC, and one of the most common configuration mistakes.

Technical basics: What is DMARC?

RUA stands for Reporting URI for Aggregate reports. This is the email address to which mailbox providers send their DMARC aggregate reports daily. Without an RUA address you get no reports and can't see who sends emails in your name. The RUA address is entered directly in the DMARC record.

Read and understand DMARC reports

Mailbox providers typically send aggregate reports once a day. After setting a new DMARC record, it usually takes 24–48 hours for the first reports to arrive, depending on when and how much email traffic runs over your domain.

Aggregate reports (rua) arrive once a day and contain statistical data about all emails sent in your domain's name: IP addresses, volume, SPF/DKIM results. Forensic reports (ruf) arrive on each individual failure and contain details about the specific email. Many mailbox providers no longer send forensic reports for privacy reasons.

Read and understand DMARC reports
02

Monitoring.

How raw XML data becomes a readable dashboard, and what becomes visible in the process.

DMARC Monitoring means that DMARC reports are automatically received, processed and visualized. Instead of manually evaluating raw XML data, you see in a dashboard who sends emails in your name: compliant, with warning or failing. Monitoring is the second step after setting the DMARC record.

DMARC Monitoring platform

Technically yes. DMARC reports arrive as compressed XML files, readable when unpacked but not clear. Anyone who receives reports from several mailbox providers daily and wants to keep an overview needs a monitoring tool. The real effort lies not in reading but in interpreting.

The dashboard shows all systems that send emails under your domain, categorized as compliant, warning or failing. Plus the current policy status, delivery rates, SPF/DKIM results per sender and concrete recommendations. Abusive senders are identifiable by failing or warning entries.

Test monitoring for free

Yes. nicmanager monitoring is multi-domain capable and suits both single domains and complex domain portfolios without additional operational effort.

No. nicmanager provides its own RUA address that is entered directly in your DMARC record. Reports come in automatically; you don't need to forward or set up anything manually.

03

Taskforce.

The managed service with Score-80 guarantee: scope, duration and billing.

The Taskforce is a managed service in which the nicmanager team handles the complete DMARC implementation: from assessment through SPF and DKIM configuration to the safe switch to p=reject. With a Score-80 guarantee: if the DomainSecurity Score isn't 80 or higher at project end, we refund the fee in full.

DomainSecurity Taskforce

For IT teams that have to set up DMARC but have no free capacity. For companies after a phishing or spoofing incident who need to react quickly. And for everyone stuck at p=none or p=quarantine who aren't sure how to get safely to p=reject .

The cost depends on the number of domains and the complexity of the email infrastructure. For a concrete, no-obligation assessment: book a 15-minute call. Important: if a score of 80 isn't reached, we refund the fee in full. The outcome risk lies with us.

Book a free assessment

On average 3–4 weeks. Depending on the number of domains and the complexity of the third-party services involved, the project duration is between 2 and 8 weeks. The process: assessment → configuration → monitoring & testing → p=reject and documentation.

The DomainSecurity Score measures the maturity of your email security configuration on a scale from 0 to 100. The Taskforce works until a score of 80 or higher is reached. If this result isn't reached at project end, we refund the fee in full. The outcome risk lies with us.

Technically yes, the steps are documented. The question is not whether you can configure it, but whether you can be sure it's correct. Companies that set up DMARC themselves often discover, when switching to p=reject , that a third party is missing or a system sends rarely enough to slip through monitoring. That's not a mistake out of ignorance. It's a lack of experience with the hundred ways it can go wrong.

More about the Taskforce
04

GDPR & data storage.

Where the data is stored, which certifications exist and what the DPA covers.

All data is stored and processed exclusively on servers in the EU. nicmanager operates EU-based hosting and is fully GDPR-compliant. There is no data transfer to third countries outside the EU.

Yes. nicmanager is ISO 27001 and ISO 9001 certified. In addition, nicmanager is a partner of the Alliance for Cyber Security of the German Federal Office for Information Security (BSI).

Yes. A standardized DPA is available for all customers who have DMARC reports processed via nicmanager. It can be concluded as part of the contract documents.

Aggregate reports contain IP addresses of sending servers; under certain circumstances these can count as personal data. Forensic reports partly contain email headers that may include personal data. The DPA is the legal basis for nicmanager's processing of this data.

05

Troubleshooting.

When something goes wrong despite DMARC, and what the reports say about it.

Because DMARC is set to p=none and isn't blocking anything yet, or because p=quarantine or p=reject is set, but not all recipients enforce DMARC. Also, DMARC only protects your own domain in the Fromheader, not look-alike domains or display-name spoofing.

This points to an SPF or DKIM alignment problem. A sending service, often a newsletter tool or CRM, isn't configured correctly and fails the DMARC check. Monitoring shows which sender is affected.

Request a free assessment

Common causes: missing v=DMARC1 at the start, wrong syntax in the RUA address, missing semicolons between tags, or the record isn't in the right place in the DNS. With the DMARC Record Analyser you can check your record for free.

Check DMARC record

SPF allows a maximum of 10 DNS lookups per check. Anyone who has integrated many third-party services quickly exceeds this limit, and SPF fails. This is called SPF Permerror. There are solutions; which one fits depends on your third-party mix. Done wrong, it creates a new maintenance problem.

More on SPF in practice

This can have two causes. First: a third-party service that sends in your domain's name and that you didn't explicitly set up, for example an old newsletter tool or an automated system. Second: a spoofing attempt. Monitoring shows volume, IP address and SPF/DKIM result for each sender, so the two can be clearly distinguished.

View in monitoring
No question found.

Maybe the question isn't documented yet. We answer directly in the 15-minute call.

Book a 15-min call →

nicmanager is a brand of InterNexum GmbH, Blumenstraße 54, 02826 Görlitz, Germany. InterNexum GmbH is a member of the Alliance for Cyber Security of the German Federal Office for Information Security (BSI) and is certified to ISO 27001 and ISO 9001.