Learn
Short, plain-English guides for getting DMARC right. No certifications, no jargon, no ten-page primers. Just what you need to know.
What is DMARC?
The 5-minute version. Why mailbox providers care, what gets blocked when it's wrong, and how DMARC fits with SPF and DKIM.
Setting up DMARC for the first time
Step-by-step: publish the record, point reports somewhere, watch what mail providers say about your domain.
DMARC alignment, in plain English
Why a message can pass SPF but still fail DMARC. Identifier alignment, the difference between authentication and alignment, and why DKIM is usually the easier fix.
Progressing past p=none safely
How to step from monitor-only to actual enforcement without breaking real mail. The 4-week ramp most domains should follow.
Counting your SPF lookups (and why you might be at 11)
SPF caps DNS lookups at 10. Cross it and mailbox providers return permerror. What counts, what doesn't, and how to come back under.
Why 1024-bit DKIM keys are being phased out
NIST deprecated 1024-bit RSA in 2013, Google now warns about it. Here's the rotation playbook to 2048-bit without breaking current mail.
Removing a revoked DKIM selector
When a DKIM selector publishes p= with an empty value it's signaling revocation per RFC 6376. Receivers will keep failing your mail until you delete the record (or republish the key). Here's how to tell which.
When a DKIM selector stops resolving
If a DKIM selector that used to be in DNS stops resolving, your alignment will start failing. The cause is usually one of three things: an in-progress rotation, a manual delete, or a DNS provider hiccup. Here's how to tell them apart and fix it.
Merging multiple SPF records into one
RFC 7208 says a domain MUST have only one v=spf1 record. Multiple records are an SPF permerror, so receivers treat all your authorized senders as unauthorized. Here's how to merge them safely.
How we update DNS records on your behalf, safely
Auto-fix that touches your authoritative DNS is risky if you do it wrong. Here are the four safety layers we use (5-minute cancel window, paper-trail email, read-back verify, 24h undo) and why each one is there.
Reading your first DMARC report
You set up DMARC, mailbox providers started sending you XML reports, and now you're staring at one wondering what it means. Here's what each section says, and the three patterns to actually look for.
What to do when a report shows Unknown senders
Some rows in your DMARC reports won't have a vendor name attached. Just a bare source IP marked Unknown. Here's the triage guide: what aligned-vs-not means, how to figure out who the IP actually belongs to, and when an Unknown is safe to ignore.
MTA-STS / TLS-RPT for the security-curious
DMARC tells you who's allowed to send as you. MTA-STS tells receivers your inbound mail must be encrypted in transit, with no downgrade attacks. TLS-RPT is how receivers tell you when the encryption fails. Here's when to bother, and why it's harder to set up than DMARC.
BIMI in plain English
BIMI is the brand logo that shows up next to your sender name in supporting inboxes. It needs DMARC at p=quarantine or stricter, a published BIMI record, and either a free SVG or a Verified Mark Certificate. Here's what each piece costs, who actually displays it, and whether the upgrade is worth it.
Why forwarded mail still passes DMARC (sometimes)
Email forwarders break SPF because the connecting IP changes when a forward kicks in. DKIM usually survives. DMARC's alignment rule means DKIM-aligned mail still passes even when SPF fails, which is why your forwarded reports look mostly fine. Here's what's happening, when it breaks, and what to do about ARC.
Editing your DNS manually for any provider
When trustyourinbox doesn't have a one-click integration with your DNS provider, you can still apply every fix yourself. Here's the universal walkthrough: how to find which provider hosts your DNS, where the TXT-record editor lives in the most common ones, what to paste for each fix type (DMARC, SPF, DKIM, MTA-STS), and how to verify the change took effect.
Editing DNS records in GoDaddy
GoDaddy hosts your DNS at ns01/ns02.domaincontrol.com. trustyourinbox can recommend the right DMARC, SPF, DKIM, and MTA-STS records but can't apply them for you on GoDaddy yet. The exact path through the current GoDaddy panel: where the editor lives, GoDaddy's quirks (per-record TTL, Domain Protection 2SV, ASCII-only values), and how to verify the record published.
Editing DNS records in Namecheap
Namecheap hosts your DNS at dns1/dns2.registrar-servers.com (FreeDNS) or pdns1/pdns2 (PremiumDNS). The exact path through Namecheap's Advanced DNS panel: where the editor lives, the @-vs-blank apex quirk, and how to verify the record published. Same flow on FreeDNS, BasicDNS, and PremiumDNS.
Editing DNS records in AWS Route 53
Route 53 hosts your DNS at four nameservers across .com / .net / .co.uk / .org TLDs. The exact path through the Route 53 console: Route 53's mandatory double-quote rule, multi-string handling for long DKIM keys, IAM permission requirements, and how to verify the record published.
Editing DNS records in Google Cloud DNS
Google Cloud DNS hosts your DNS at four ns-cloud-[a-d]N.googledomains.com nameservers. The exact path through the Cloud Console: the apex-blank-NOT-@ quirk, multi-string handling for long DKIM keys, IAM roles you need, and how to verify the record published.
Editing DNS records in Azure DNS
Azure DNS hosts your DNS at four nsN-NN.azure-dns.{com,net,org,info} nameservers. The exact path through the Azure portal: how Azure auto-segments long values (easiest for DKIM keys), RBAC roles you need, and how to verify the record published.
Stop guessing. Start monitoring.
Free for 1 domain. Set up in 5 minutes. We handle the report parsing, you read plain-English summaries.