Four steps from "no DMARC" to "p=reject without breaking mail." Live scan, starter record, sender checklist, and a safe ramp plan. Nothing is saved on our side until you sign up to monitor.
Enter your domain. We do a live DNS lookup for DMARC, SPF, and DKIM, then tell you what is in place and what is missing.
Publish this record on the _dmarc.<domain> TXT host at your DNS provider. p=none filters no mail; it only turns on reporting so you can see who is sending as you.
DNS host
_dmarc.yourbrand.com
DNS type
TXT
Record value
v=DMARC1; p=none; ...
Heads up: the rua/ruf addresses above point at PhishFence's reporting mailbox. You will get reports starting within 24 hours and can sign up to see them parsed and graphed. If you only want the wizard, swap the rua/ruf for your own mailbox before publishing.
For every system that sends mail using your domain, you need its SPF include OR its DKIM selector aligned with your From: domain. Check off each one you use; click any item for the exact setup steps.
include:_spf.google.com
include:spf.protection.outlook.com
include:sendgrid.net (+ DKIM selector s1)
include:servers.mcsv.net (+ k1 DKIM)
include:spf.mtasv.net (+ pm DKIM selector)
include:amazonses.com (+ region selector)
include:23681665.spf08.hubspotemail.net (+ hs1 DKIM)
include:_spf.resend.com (+ resend DKIM selector)
include:_spf.mx.cloudflare.net
include:spf.brevo.com (+ mail DKIM)
Don't see your sender? Email is full of edge cases. Sign up to ingest your real DMARC reports and PhishFence will auto-identify every IP, ASN, and ESP attribution for you.
Once every legitimate sender from Step 3 is aligning on SPF or DKIM, walk this ramp. Each step needs at least a week of clean reports before advancing; jumping straight to p=reject is how marketing emails start bouncing on Monday morning.
p=none · 14 days
Receivers send you reports but apply no filtering. Goal: identify every sender from Step 3 in your rua reports.
p=quarantine; pct=10 · 7 days
10% of failing mail goes to spam. Tiny blast radius, but watch for a sender suddenly showing in the failing cohort.
p=quarantine; pct=100 · 7 days
All failing mail to spam. Real impact starts here; recipients may notice missing email and ask you about it.
p=reject
Failing mail is bounced before delivery. Attackers can no longer use your domain to phish; legitimate senders that broke at step 3 are gone for good if you ramp before fixing them.
PhishFence ingests your DMARC reports daily, auto-classifies every sender, and refuses to surface the "Advance" button until everyone is aligning. The enforcement wizard does exactly this ramp for you.
Start free · Email Security