Skip to content

Using the Domains Page

The Domains page is where you manage domains on boarded to VerifyDMARC, including subdomains if you have created specific DMARC records for these. It displays the status of each domain or subdomain, supports tagging, and provides a way to generate DMARC records for each domain or subdomain.

Each domain or subdomain listed here counts towards your plan limit. Subdomains that do not have their own dedicated DMARC record, do not.

Domains Page

Tip: Look out for the filter and sort icons.

The Domains page has the following columns:

  • Domain: The domain or subdomain.
    • If you send mail on a specific subdomain e.g. @marketing.example.com, and you want granular control of the DMARC policy, then you should explicitly add this subdomain to VerifyDMARC and create a specific DMARC record for it.
  • Status: This reflects whether the domain has a DMARC record, and if it does, whether it is set to none, quarantine, reject or is inheriting policy.
    • means that the domain has a DMARC record and it is set to quarantine or reject.
    • means that the domain has a DMARC policy (p=) or subdomain policy (sp=) set to none.
    • means that the domain does not have a DMARC record or an invalid DMARC record.
  • Parked: This is a toggle which indicates and controls the parked flag.
    • Parked domains are ones that are not expected to send legitimate email. They are usually reserved or not used for email purposes but are important to protect from abuse or misconfiguration.
    • The primary purpose of the flag is to keep the Dashboard clear and actionable by using the Hide Park toggle to only view active domains.
    • To successfully flag a domain as parked it must have:
      • A valid reject DMARC policy. Do not use a Subdomain Policy (sp=) tag in your record. Guidance can be found below under Domain Detail.
      • An an empty v=spf1 -all SPF policy indicating no mail servers are authorised to send from it.
    • Without meeting those conditions, an attempt to flag a domain as parked will fail.
    • The parked flag will automatically toggle off if any of these conditions are met:
      • Reports of DMARC complaint email are received for the domain.
      • When DMARC records are refreshed, the DMARC policy is no longer valid or reject
    • To be notified when a parked flag has been automatically toggled off, set one or more Alert Email Addresses under Organisation.
  • TLS (if TLS reporting on): This reflects whether the domain has a TLS reporting record, and if it does, whether any issues relating to TLS are detected.
    • Empty means TLS Reporting is not on for the domain.
    • means the domain has a TLS reporting record and no issues are detected.
    • means the domain has a TLS reporting record, but issues are detected. Hover over the icon for detail or click Show.
    • means that the domain has TLS reporting on but does not have a the correct TLS reporting record configured.
  • TLS Mode (if TLS reporting on): Any TLS protocols detected.
    • Empty means TLS Reporting is not on for the domain or the TLS Reporting record is not valid.
    • None no DANE or MTA-STS detected, the domain is likely using opportunistic SMTP TLS.
    • DANE the domain has TLSA records detected indicating DANE is configured.
    • MTA-STS Enforce the domain has a _mta-sts TXT record and a policy file with mode: enforce, indicating MTA-STS is mandated and mail senders should not attempt to send mail unencrypted if TLS fails.
    • MTA-STS Testing the domain has a _mta-sts TXT record and a policy file with mode: testing, indicating MTA-STS is testing mode and is allowed to fallback to unencrypted if it fails.
    • MTA-STS Error means there is a _mta-sts TXT record but there is an issue with accessing the policy file or the policy file format is not valid. Hover over the status icon or go Show for additional detail.
    • MTA-STS None the domain has a _mta-sts TXT record and a policy file with mode: none, indicating MTA-STS is explicitly disabled, usually when it is being decommissioned. TLS will not be enforced unless DANE is in use.
  • Reference: This is a single reference property to help you identify a domain.
    • This is intended for scenarios such as a third party billing reference, or a customer ID.
    • We'd love to hear how you are using references, and how we can improve this feature. Please let us know at feedback@verifydmarc.com.
  • Tags: You can add free form tags to each domain to help you categorise and manage your domains.
    • This is intended for scenarios such as MSPs needing to group multiple domains belonging to the same customer, or noting specific people or teams responsible for each domain.
    • We'd love to hear how you are using tags, and how we can improve this feature. Please let us know at feedback@verifydmarc.com.
  • Action: Select Show to reach the Domain Detail Page or Remove to off board the domain from VerifyDMARC.

Adding a Domain

Select Add Domain to add a domain to VerifyDMARC. You will be prompted to enter the domain name and then taken to the Domain Detail page to generate a DMARC record for the domain.

Auto Park

As a convenience, select Auto Park to check all domains, any that have a valid reject DMARC policy and an empty v=spf1 -all SPF policy will be flagged as parked. Any that were parked but no longer meet the criteria will be un-flagged as parked.

This operation is designed to efficiently reconcile the parked status of the domains. After a domain is flagged as parked, any subsequent DMARC compliant emails reported will cause the domain's parked flag to be toggled off automatically. If the Dashboard detects a policy change away from a valid DMARC reject policy, this will also cause the domain's parked flag to be toggled off. Once the parked flag is toggled off it automatically appears in the filtered Dashboard list again.

Domain Bulk Import and Export

Bulk Import

A fast way to onboard many domains is to export or scrape the list of domains from your DNS manager or domain registrar, MSP tools, documentation, or other sources, and then import them into VerifyDMARC.

Select Import to access the Import Domains wizard. You can download a sample CSV file to use as a template for your import. The CSV file must a column with the header domain and a list of domains to import. It can optionally include a reference column and a tags column.

NOTE If you include the reference or tags columns these will overwrite any existing references or tags for the domain, including if you leave the reference or tag field blank for one of the domains in your import file. If you do not include the reference or tags columns, any existing references or tags will be left as is.

VerifyDMARC automatically de-duplicates domains, so you don't need to worry about removing duplicates from your list.

If you exclude existing domains already on boarded to VerifyDMARC from the import file, the domains will be left untouched.

When you run an import, the Results area will show each imported or update domain, and if a tag or reference was updated.

Bulk Export

Select Export to download a CSV file containing all of your domains. You can use this file to audit your domains or to import your domains into another system.

Removing a Domain

Select Remove next to a domain to remove it from VerifyDMARC.

When you remove a domain, VerifyDMARC will not purge any historical DMARC data until it ages out of our system normally. This is because some customers may want to transition between having an explicit subdomain DMARC record and go back to using an inherited policy.

If you re-add a domain that you removed, any already ingested DMARC data will show up again provided it has not aged out of our system, as long as the domain is re-added to the same organisation.

Advanced Information

At the top of the page, you'll see a Show/Hide Advanced Information link. Select this to access your unique RUA tag if you need to manually edit an existing DMARC record or want to build a DMARC record that sends reports to VerifyDMARC as well as other destinations.

Domain Detail Page

The Domain Detail page includes a DMARC record wizard to help you generate a DMARC record for your domain or turn on TLS Reporting.

The Live DMARC Record is the current DNS result we see for your domain. If you have just added your domain, or have just updated your DMARC record, it may take time for the Live DMARC Record to show the updated record.

Generating a DMARC Record

There are two input fields:

  1. Select Domain Policy (p=): This is the policy setting that will apply to your domain and all subdomains unless otherwise specified. The options are none, quarantine, and reject.
  2. Select Subdomain Policy (sp=): This is the policy setting that will apply to subdomains of your domain. The options are Inherit, none, quarantine, and reject. If you select Inherit, the policy setting from the Select Domain Policy field will be used. You can still override this setting for individual subdomains by creating a separate DMARC record for the subdomain.

If your environment is not complex, we recommend you set the subdomain policy to inherit.

Once you have set both fields, select Show Record to display the DNS TXT record that you need to add to your domain's DNS manager.

Turn On TLS Reporting

To turn on TLS reporting for the domain, click the Turn On TLS Reporting button. If this is the first domain in the organisation to have TLS Reporting turned on, a modal will appear with guidance and TLS-related columns will appear in the Dashboard and Domains pages going forwards.

Once turned on, SMTP TLS Status will be revealed with the record you need to add to your domain's DNS manager.

TLS Reporting will turn on automatically if TLS reports are received for the domain.