DMARC Rollout Wizard
Four steps from "no DMARC" to "p=reject without breaking mail." Live scan, starter record, sender checklist, and a safe ramp plan. Nothing is saved on our side until you sign up to monitor.
-
1Scan
-
2Generate
-
3Senders
-
4Ramp
Step 1 · Scan your current posture
Enter your domain. We do a live DNS lookup for DMARC, SPF, and DKIM, then tell you what is in place and what is missing.
Step 2 · Your starter DMARC record
Publish this record on the _dmarc.<domain> TXT host at your DNS provider. p=none filters no mail; it only turns on reporting so you can see who is sending as you.
DNS host
_dmarc.yourbrand.com
DNS type
TXT
Record value
v=DMARC1; p=none; ...
Heads up: the rua/ruf addresses above point at PhishFence's reporting mailbox. You will get reports starting within 24 hours and can sign up to see them parsed and graphed. If you only want the wizard, swap the rua/ruf for your own mailbox before publishing.
Step 3 · Find every legitimate sender
For every system that sends mail using your domain, you need its SPF include OR its DKIM selector aligned with your From: domain. Check off each one you use; click any item for the exact setup steps.
-
Google Workspace setup docs →
include:_spf.google.com -
Microsoft 365 (Exchange Online) setup docs →
include:spf.protection.outlook.com -
SendGrid setup docs →
include:sendgrid.net (+ DKIM selector s1) -
Mailchimp setup docs →
include:servers.mcsv.net (+ k1 DKIM) -
Postmark setup docs →
include:spf.mtasv.net (+ pm DKIM selector) -
Amazon SES setup docs →
include:amazonses.com (+ region selector) -
HubSpot setup docs →
include:23681665.spf08.hubspotemail.net (+ hs1 DKIM) -
Resend setup docs →
include:_spf.resend.com (+ resend DKIM selector) -
Cloudflare (transactional) setup docs →
include:_spf.mx.cloudflare.net -
Brevo (Sendinblue) setup docs →
include:spf.brevo.com (+ mail DKIM)
Don't see your sender? Email is full of edge cases. Sign up to ingest your real DMARC reports and PhishFence will auto-identify every IP, ASN, and ESP attribution for you.
Step 4 · Ramp safely to enforcement
Once every legitimate sender from Step 3 is aligning on SPF or DKIM, walk this ramp. Each step needs at least a week of clean reports before advancing; jumping straight to p=reject is how marketing emails start bouncing on Monday morning.
-
1
p=none· 14 daysReceivers send you reports but apply no filtering. Goal: identify every sender from Step 3 in your rua reports.
-
2
p=quarantine; t=y· 7 daysTest mode (DMARCbis
t=y). Receivers report on the stricter policy but still deliver normally, so nothing gets filtered yet. Watch your rua reports for any sender that suddenly shows up failing. -
3
p=quarantine· 7 daysDrop
t=yto start enforcing. Failing mail now goes to spam. Real impact starts here; recipients may notice missing email and ask you about it. -
4
p=rejectFailing mail is bounced before delivery. Attackers can no longer use your domain to phish; legitimate senders that broke at step 3 are gone for good if you ramp before fixing them.
Don't ramp blind.
PhishFence ingests your DMARC reports daily, auto-classifies every sender, and refuses to surface the "Advance" button until everyone is aligning. The enforcement wizard does exactly this ramp for you.
Start free · Email Security