Skip to content

Using the Dashboard

The Dashboard is where you can see all of your monitored domains and their DMARC compliance state. It is the first page you see when you log in after adding at least one domain to your organisation.

Dashboard Columns

Tip: Look out for the filter and sort icons.

The Dashboard has the following columns:

  • Domain: Domains that you have added to your account, or subdomains that we have automatically discovered in your DMARC reports using Header From.
  • Status: This reflects whether the domain has a DMARC record, and if it does, whether it is set to none, quarantine, reject or is inheriting policy.
    • means that the domain has a DMARC record and it is set to quarantine or reject.
    • means that the domain has a DMARC record, it is set to reject and has been flagged as parked (i.e. not expected to be sending compliant email). These domains are hidden by default on the Dashboard and revealed using the toggle next the date picker..
    • means that the domain has a DMARC parent domain or subdomain record, or an inherited DMARC record, but set to none.
    • means that the domain does not have a DMARC record or an invalid DMARC record.
    • means that the domain is inheriting a DMARC record from a parent domain.
    • There are also tooltips on the page to explain these icons.
    • We query your DMARC DNS record when you sign into the Dashboard, and cache these results for up to 1 hour.
  • Effective Policy: This is the policy that is being applied to the domain, based on the DMARC record.
  • Compliant %: This is the percentage of messages that are passing DMARC.
    • It is calculated by dividing the total number of DMARC compliant messages that we have received DMARC RUA reports, by the total number of messages that we have received DMARC RUA reports for.
  • Compliance Chart: This is a quick way to identify the compliance state of a domain. It shows the percentage of messages that are using both DKIM & DMARC, DKIM only, SPF only, or none of these.
    • DKIM & SPF
    • DKIM only
    • SPF only
    • Non-Compliant
  • Total Count: This is the total number of messages that we have received DMARC RUA reports for.
    • This metric is counted towards your subscription's message limit.
  • Detail: If we have received DMARC RUA reports for the domain in the selected date period, you'll be able to click the icon. This will take you to the Senders page, where you can see where messages are originating from for your domain. See the Senders page for more information.

TLS Columns

The following TLS-related columns are visible if one or more domains has TLS Reporting turned on.

  • TLS: This reflects whether the domain has a TLS reporting record, and if it does, whether any issues relating to TLS are detected.
    • Empty means TLS Reporting is not on for the domain.
    • means the domain has a TLS reporting record and no issues are detected.
    • means the domain has a TLS reporting record, but issues are detected. Hover over the icon for detail or click Show.
    • means that the domain has TLS reporting on but does not have a the correct TLS reporting record configured.
  • TLS Mode: Any TLS protocols detected.
    • Empty means TLS Reporting is not on for the domain or the TLS Reporting record is not valid.
    • None no DANE or MTA-STS detected, the domain is likely using opportunistic SMTP TLS.
    • DANE the domain has TLSA records detected indicating DANE is configured.
    • MTA-STS Enforce the domain has a _mta-sts TXT record and a policy file with mode: enforce, indicating MTA-STS is mandated and mail senders should not attempt to send mail unencrypted if TLS fails.
    • MTA-STS Testing the domain has a _mta-sts TXT record and a policy file with mode: testing, indicating MTA-STS is testing mode and is allowed to fallback to unencrypted if it fails.
    • MTA-STS Error means there is a _mta-sts TXT record but there is an issue with accessing the policy file or the policy file format is not valid. Hover over the status icon or go Show for additional detail.
    • MTA-STS None the domain has a _mta-sts TXT record and a policy file with mode: none, indicating MTA-STS is explicitly disabled, usually when it is being decommissioned. TLS will not be enforced unless DANE is in use.
  • Success %: The proportion of reported TLS sessions that were successful. A rate lower than 100% warrants investigation.
  • Success Chart: This is a quick way to visually identify the health of reported TLS sessions for a domain.
    • Success
    • Failure
  • TLS Total Count: The number of reported TLS sessions.
  • TLS Failures: The number of reported failed TLS sessions.
  • Detail: If we have received TLS reports for the domain in the selected date period, you'll be able to click the icon. This will take you to the TLS Reports page, where you can see TLS reports grouped by sender and Policy Used.

Dashboard Workflow and Usage

The dashboard is designed so you can quickly review the compliance state of your domains and get straight to actionable data.

To focus attention on actionable data, domains flagged as parked are hidden by default. Each time DMARC records are refreshed they are checked to ensure any domain flagged as parked still has a valid reject policy, if it does not, it will automatically revert to not parked. If DMARC compliant mail is reported for a parked domain, it will also automatically revert to not parked. Use the toggle to the right of the date picker to show or hide domains flagged as parked.

Here's a typical workflow:

  1. Check your domain DMARC DNS record state: We colour code the Status column to make it easy to identify the compliance state of your domains. Start with reviewing any domains that have a beige coloured row. This means that either the domain has a weak DMARC policy (none), no DMARC policy, an invalid DMARC policy, or we're not receiving DMARC reports for the domain.
    • For any of these domains, you should review your DMARC record and ensure that it is correctly configured.
    • If you have parked domains that do not send email, you should set up DMARC records for these domains with a policy of reject, and an empty SPF record with a -all mechanism e.g. v=spf1 -all. This will prevent these domains being used to conduct impersonation attacks.
  2. Check your DMARC compliance state: Next, review the Compliant % and Compliance Chart columns. These will give you an idea of the percentage of messages that are passing DMARC, and the authentication methods that are being used to send messages from your domain.
    • This data does not populate immediately after adding a domain, as it requires DMARC reports to be received and processed. This can take up to a week to come through, assuming the domain is actively sending email.
    • If you have a low Compliant %, you can use the View Senders link to see where messages are originating from for your domain. This will help you identify authorised but not correctly configured sources of email, as well as unauthorised sources of email. See the Senders page for more information.
    • Keep in mind that some services may only periodically send emails. For example accounting software sending invoices once a month in a small volume. This can be a cause of non-compliant messages even if you have a high Compliant %. Be sure to use the View Senders link to review the sources of email for your domain.

Unless you are regularly adding new domains to your account, you should only need to review the dashboard periodically to check your compliance state. If you are adding new domains, you should review the dashboard daily until you have all of your sending sources correctly configured and your compliance state is high. See the Guidance page for more information on how to deal with non-compliant mail sources or a drop in your Compliant % level.