DMARC monitoring
DMARC monitoring that turns aggregate XML into a live dashboard.
DMARCTrust is DMARC monitoring built by deliverability engineers. You get a dedicated reporting address, automatic XML parsing, and per-source alerts. Free for 1 domain.
- No credit card
- Live in under a minute
- We never touch your mailbox
- Built by ex-Mailjet engineers
Built by Florian Le Goff & Marc Lelu, ex-Mailjet deliverability engineers. Last updated June 3, 2026.
What DMARC monitoring actually does
Mail providers send daily DMARC aggregate reports as compressed XML. On their own, those files are unreadable: rows of source IPs, message counts, and pass/fail codes. DMARC monitoring receives every report at your dedicated reporting address, parses it automatically, and keeps a running record so you can watch your email authentication over time instead of reading one file at a time.
The result is something you can act on: who is sending as your domain, whether SPF and DKIM align, where spoofing shows up, and whether you are ready to move from p=none to p=reject.
Turn raw DMARC reports into readable charts
Every sending source, ranked
Each source IP is resolved to a provider (Gmail, SendGrid, Mailgun, your office WiFi, an unknown), with volume and pass rate.
Alignment trends over 30, 90, 180 days
SPF, DKIM, and DMARC pass rates as time series. The patterns one day of XML cannot show.
Forensic (RUF) samples
When senders publish ruf=, we collect redacted message samples so you can see exactly what failed.
Multi-domain rollups
If you manage 5+ domains, one screen consolidates volume, pass rates, and alerts across all of them.
Catch spoofing and authentication failures early
- Source IP → provider attribution. Raw IPs tell you nothing. We resolve every source to a named provider so "who is sending as me?" stops being a research project. The unknown senders are the ones worth chasing down, because that is where spoofing hides.
- Trend over time. One day of XML is one day of data. Real failures appear as multi-day patterns. The dashboard shows 30-, 90-, and 180-day rollups by default.
- Failure spike detection with alerts. A nightly job watches authentication failure rates and emails you when a domain crosses threshold, long before your DMARC review meeting on Thursday.
Inside a DMARC aggregate report
Every aggregate report (RFC 7489 §7.2) contains the following fields:
| Field | What it means |
|---|---|
policy_published |
The DMARC record the recipient saw at the time. |
record/row/source_ip |
The sending IP for each batch. |
record/row/count |
Number of messages from that IP. |
auth_results/dkim |
DKIM signing domain and result. |
auth_results/spf |
SPF identifier and result. |
policy_evaluated/disposition |
What the recipient actually did (none / quarantine / reject). |
Get from p=none to p=reject with confidence
DMARC starts in monitoring mode, p=none, where recipients report on your mail but never block it. The point of monitoring is to reach enforcement (p=quarantine then p=reject) without dropping a single legitimate message.
DMARCTrust shows the one number that decides when you are ready: your aligned pass rate across every legitimate sender. When every real source authenticates and the only failures left are spoofers, you can tighten the policy. Watch the alignment trend climb, fix the laggards, then enforce.
DNS change alerts so your records never drift
Your DMARC, SPF, and BIMI records monitored every 5 minutes. Unauthorized modifications, accidental deletions, misconfigurations. Caught and alerted, with a full change history you can audit.
See where encryption breaks in transit
TLS-RPT reports show you when senders can't deliver mail to your domain over an encrypted connection. Spot certificate failures and downgrade attempts before messages travel in the clear, in the same place you monitor DMARC.
Inbound transport protection, in the same platform
DMARC protects your outbound reputation. But what about mail coming in? Without transport encryption enforcement, a man-in-the-middle can strip encryption and read messages in transit to your domain.
We deploy and host the policies that prevent this, and alert you when senders can't connect securely.
Built by email deliverability engineers
We helped scale Mailjet to billions of emails with world-class deliverability. We've seen every authentication failure, every DNS misconfiguration, every deliverability crisis.
Now we've built that expertise into a monitoring tool so you don't have to become a DMARC expert yourself.
DMARC monitoring service for teams managing many domains
Running DMARC across ten brands is a different job than running it across one. DMARCTrust is a DMARC monitoring tool built for that: every domain rolls up into one dashboard, alerts fire per domain, and a JSON API lets you pull pass rates straight into your own reporting.
Add domains as you go for $15 each, or talk to us about agency and MSP plans if you manage client domains at volume.
Start free for 1 domain, upgrade when you grow
Free DMARC monitoring covers one domain with a dedicated reporting address, the full dashboard, and 7 days of detail. Paid plans add domains, longer retention, forensics, and DNS change alerts.
| Plan | Detail retention |
|---|---|
| Free | 7 days + 2-day grace |
| Starter | 90 days + 2-day grace |
| Pro | 180 days + 2-day grace |
Retention matters for audit trails, year-over-year comparisons, and post-incident reviews.
Works alongside
Protect inbound transport with hosted MTA-STS
Enforce TLS on inbound mail without managing certificates.
Read more →Verify every campaign your ESPs send
Inbox Inspector evaluates SPF, DKIM, and DMARC for every message from your ESPs.
Read more →Free DMARC Checker
Paste a domain, see its current DMARC posture in 5 seconds.
Read more →Frequently asked questions
- What does DMARC monitoring actually show me?
- DMARC monitoring turns the daily aggregate (RUA) reports your mail providers send into readable charts: every sending source resolved to a named provider, SPF and DKIM alignment trends, authentication failure spikes, and forensic (RUF) samples when senders publish them. You see who is sending as your domain and whether their mail authenticates, without reading a line of XML.
- How often do DMARC reports arrive?
- Most providers send daily aggregate reports. A few (notably Mail.ru and some Eastern European ISPs) send several times per day. We process them within minutes of receipt.
- What is the difference between aggregate (RUA) and forensic (RUF) reports?
- RUA reports are statistical: counts of messages and authentication outcomes per source IP, sent on a regular cadence. RUF reports are per-failure: redacted samples of individual messages that failed DMARC. See RFC 7489 §2 for the formal definitions.
- Do I need to give DMARCTrust access to my mailbox?
- No. You publish our reporting address as your DMARC `rua=` tag. Mail providers send reports to us directly. We never touch your existing mailbox.
- Is DMARC monitoring free?
- Yes, for 1 domain. The free plan includes your dedicated reporting address, automatic XML parsing, the dashboard, and basic DNS status checks, with 7 days of detail retention plus a 2-day grace period. Paid plans add more domains, longer retention, forensics, and DNS change alerts.
- How long do you store reports?
- Free: 7 days plus a 2-day grace period. Starter: 90 days plus 2 days. Pro: 180 days plus 2 days. After grace, detail rows are purged; daily aggregates remain for trend continuity.
- Can I export the data?
- Yes. The public JSON API is available on Starter and Pro. You can pull reports, sources, and per-domain stats programmatically.
- How many providers send DMARC reports?
- More than 90, including Gmail, Microsoft 365, Yahoo, Apple, Mail.ru, and the major hosting providers. Coverage grows every year as DMARC adoption expands.
Start free DMARC monitoring in five minutes
One DNS record. Daily reports arrive automatically. We do the parsing.