How PlainDMARC works
From one DNS record to a weekly plain-English verdict your clients can actually read. No XML, no jargon dashboard — here is the whole pipeline, step by step.
Step 1 — Create an account and add your domains
Sign up with just an email address — we send a magic link, so there's no password to manage, and early access is free with no card. Add each domain you look after (your own, or your clients'). Every domain you add immediately gets a live DNS posture check, so you can see its current DMARC state before any reports arrive.
Step 2 — Publish one DNS TXT record per domain
For each domain, the dashboard shows the exact record to publish — copy, paste into the domain's DNS, done. It looks like this:
_dmarc.client-domain.com. TXT "v=DMARC1; p=none; rua=mailto:r-<token>@rua.plaindmarc.com; fo=1; adkim=r; aspf=r"
The r-<token> address is unique and unguessable per domain — that's how reports are attributed to the right domain and account, and why nobody else can spoof data into your dashboard.
p=none is monitor-only. Publishing this record changes nothing about how your mail is delivered — providers simply start reporting. Moving to quarantine or reject is a separate step you take when the data says it's safe (our policy guide explains when). Already have a DMARC record? DMARC allows multiple rua destinations — add ours alongside your existing tool and run both in parallel.
Step 3 — Mailbox providers report in
Google, Yahoo, Microsoft and other mailbox providers send DMARC aggregate reports — XML files describing which mail claimed to be your domain, from which sending sources, and whether it passed SPF and DKIM — to the address in your record, typically once a day. They arrive at our own mail server, where each report is parsed, validated, and attributed to your domain. You never touch the XML.
These aggregate reports contain counts, sending IPs and authentication results — not message content. Details on how we handle the data are on the security page.
Step 4 — Every Monday: a verdict, not a chart
Each week (Monday, UTC) every domain gets one plain-English verdict:
- PASS — this week's mail authenticated correctly; if you're still on
p=none, the verdict tells you when it's safe to tighten the policy. - WARN — something needs attention (say, a newsletter service failing DKIM alignment). The report names the source and gives the exact fix.
- FAIL — unauthenticated mail claiming to be this domain was observed. The report says what to do about it, in order.
If a domain received no reports that week, we say exactly that — no invented verdicts. And the first time a domain's data arrives, you get a one-time "first report received" email so you know the pipeline is live end to end.
Step 5 — Forward the proof to your client
This is the agency wedge. On Agency plans, each domain's weekly verdict becomes a white-label report: your logo, your sender name, a hosted link you can share — written so a client who has never heard of DMARC understands what they're paying you for. Here's a live sample of what the client receives.
What happens when — the honest timeline
| When | What you get |
|---|---|
| Immediately | Live DNS posture check per domain in the dashboard, plus the exact record to publish |
| ~24 hours after adding a domain | A DNS status email: record verified, or what to fix if it isn't |
| Usually 1–3 days | First aggregate reports arrive; you get a one-time "first data" email |
| Every Monday | Plain-English verdict per domain — white-labeled to your clients on Agency plans |
Prefer to drive it from code (or an AI agent)?
Everything above also works over the API. GET /api/check?domain= is free with no key and returns a plain-English JSON verdict; after signup you can mint an API key and do everything — add domains, read the DNS record to publish, poll verdicts, send client reports — over Authorization: Bearer. The full surface is documented for AI assistants in llms.txt, and there's a walkthrough in DMARC for AI agents.
FAQ
Does adding the record affect my email delivery?
No. p=none is monitor-only — providers change nothing about how they handle your mail; they just start reporting. Tightening the policy is a separate step, and the weekly verdict tells you when it's safe.
How long until I see data?
Providers report on their own schedule, typically daily. Most domains see the first report within 1–3 days — you get an email the moment it lands. The instant posture check fills the gap from minute one.
I already have a DMARC record — can I run PlainDMARC in parallel?
Yes. DMARC supports multiple rua destinations in one record, so add our address alongside your current tool while you evaluate.
What exactly do my clients receive?
A weekly plain-English report branded with your logo and sender name — see the live sample. They never need to log in anywhere.