Frequently asked questions

Most major receivers (Google, Microsoft, Yahoo, Apple) email reports daily, batched by their own schedule. After publishing the TXT record, your first report typically lands within 24 hours. If you can't wait, hit the Self-test button in the dashboard to push a synthetic report through the pipeline in seconds.

Not if you start with p=none. That's monitor-only — receivers report on what they observed, but they don't change delivery. We strongly recommend everyone starts at p=none for at least a week.

List both rua= addresses in your TXT record, comma-separated. Receivers send aggregate reports to both. Cut over to DMARCify when you're confident the data lines up.

Yes. You can monitor an apex domain and any number of subdomains separately. Each gets its own dashboard. Subdomain policy (sp=) is also surfaced in the dashboard so you can see exactly what receivers will apply.

Read your reports weekly for the first month. The dashboard makes this take 30 seconds. Once every legitimate sender is showing ≥99% aligned, you can ramp to p=quarantine, then p=reject.

Forwarders re-send your mail from their own IPs, which breaks SPF (the source IP isn't in your SPF anymore). DKIM usually survives forwarding because the signature is attached to the message. We detect this pattern — DKIM aligned, SPF broken — and group those senders into a separate 'Forwarded mail' bucket so you don't waste triage time on it.

SPF lists which IPs may send for your envelope-from. DKIM cryptographically signs each message with your domain's key. DMARC sits on top and says 'if a message claims to be from my domain in the From: header, at least one of SPF or DKIM must align with that domain.' Read the full primer on /why-dmarc.

The domain SPF or DKIM authenticated must match (or be a subdomain of) your From: header domain. Relaxed alignment (the default) accepts any organisational-domain match — mail.example.com aligns with example.com. Strict alignment requires an exact match.

By default many ESPs sign DKIM with their own domain (d=sendgrid.net) which doesn't align with your From: (yourbrand.com). The fix is 'DKIM signing with a custom domain' — every reputable ESP supports this, usually under 'sender authentication' or 'verified domain' settings. Add a couple of CNAMEs and you're aligned.

Typical timelines: 1 week at p=none watching reports, 1 week fixing misaligned senders, 1 week at p=quarantine; pct=10, 1 week ramping to pct=100, 1 week at p=reject. Total: ~5 weeks. Faster if your estate is small.

On Cloudflare's global network. Your domain's DMARC reports live in a Durable Object that Cloudflare keeps in the region closest to the org owner. D1 (the relational metadata DB) is currently EU-replicated. Business plans can pin to EU-only.

No. Cancel and we delete your data — nothing held hostage, no penalty. If you want a dump of historical reports on your way out, email hello@dmarcify.dev and we'll ship you the lot.

The domain's Durable Object is wiped within 24 hours. Cloudflare's storage is then garbage-collected. Org-level metadata is removed immediately. We don't keep tombstones.

No. Never have, never will. We don't aggregate customer data into 'industry benchmarks' or anything similar.

Yes. The infrastructure is run by an EU-based operator (Germany), customer data can be region-pinned to the EU on Business plans, and a signed DPA is available on request. Email dpo@dmarcify.dev for the documents.

Because every byte of Cloudflare we use is billed at the paid rate — and because a free tier attracts enough drive-by signups that the support and abuse-handling cost dwarfs the infrastructure savings. We'd rather charge €3/domain than pile on feature-flag walls. There's a 14-day free trial on either tier, no credit card required to start.

Linear per-domain. €3/domain on Pro (single team), €5/domain on Agency (multi-tenant for consultancies managing client orgs). Enterprise is custom — talk to us. Volume discounts apply automatically: −10% at 10 domains, −20% at 25, custom at 100+. Annual billing saves 2 months (≈17%). Stripe handles card and SEPA; VAT-compliant invoices issued automatically.

Yes. Registered non-profits and actively-maintained open-source projects get 50% off Pro or Agency — email hello@dmarcify.dev with proof. Startups under 18 months old or 10 employees get 50% off Pro for the first year. Both stack with volume discounts.

Yes — two months free (≈17% off), billed up-front, pro-rata refund if you downgrade or cancel.

We re-check your live _dmarc TXT every hour. If your rua= no longer contains the mailbox we generated for you, we warn you on the domain page and overview — because the moment that happens, receivers stop sending us reports.

Yes — under domain settings. The old token continues to receive for 7 days so you can update your DNS record without losing a day of reports.

DMARC reports queue at the receiver and re-send for up to 7 days. So even an extended outage doesn't lose reports — they trickle in once we're back. The dashboard itself is multi-region; Workers fail over automatically.

Cloudflare's status page is the source of truth for our infrastructure. We mirror any DMARCify-specific incidents at status.dmarcify.dev and at the bottom of the marketing site.

Not today. We're a small team and supporting self-hosting takes serious effort. If you have a strict requirement to self-host, contact us — we'll talk through your needs.