Frequently asked questions about DMARC.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is an email authentication protocol that defines what happens to emails claiming to come from your domain – but which cannot be proven to. DMARC builds on SPF and DKIM and adds a policy layer: deliver, move to spam, or reject.

The three DMARC policy levels define what happens to non-authenticated emails. p=none means: nothing is blocked, you only receive reports. p=quarantine means: suspicious emails land in the spam folder. p=reject means: suspicious emails are rejected entirely and never arrive.

Yes — and ideally both. DMARC requires at least one of the two mechanisms (SPF or DKIM) to be correctly configured and aligned with your sending domain.

Alignment means that the domain in the Fromheader of an email matches the domain that SPF or DKIM authenticated. Only when this alignment is correct does an email count as DMARC-compliant. There are two modes: relaxed and strict.

RUA stands for Reporting URI for Aggregate reports. It is the email address to which mailbox providers send their daily DMARC aggregate reports. Without an RUA address, you receive no reports.

DMARC monitoring means that DMARC reports are automatically received, processed and visualized. Instead of manually evaluating raw XML data, a dashboard shows you who is sending emails in your name – legitimately or abusively.

Yes. nicmanager monitoring is multi-domain capable and is suitable for both individual domains and complex domain portfolios.

No. nicmanager provides its own RUA address that is entered directly into your DMARC record. Reports then come in automatically.

The Taskforce is a managed service in which the nicmanager team handles the complete DMARC implementation – from the initial assessment through SPF and DKIM configuration to the safe switch to p=reject. With the Score-80 Guarantee.

Typically 3–4 weeks. Depending on the number of domains and the complexity of the third-party services in use.

The DomainSecurity Score measures the maturity of your email security configuration on a scale from 0 to 100. The Taskforce works until a score of 80 or higher is reached. If this result is not achieved by the end of the project, we refund the fee in full.

All data is stored and processed exclusively on servers within the EU. nicmanager operates EU-based hosting and is fully GDPR-compliant.

Yes. nicmanager is ISO 27001 and ISO 9001 certified. In addition, nicmanager is a partner of the Alliance for Cyber Security of the German Federal Office for Information Security (BSI).

Yes. A standardized DPA is available for all customers who have DMARC reports processed via nicmanager.

Because DMARC is set to p=none and isn't blocking anything yet – or because p=quarantine or p=reject is set, but not all recipients enforce DMARC. In addition, DMARC only protects your own domain in the Fromheader – not look-alike domains or display-name spoofing.

This points to an SPF or DKIM alignment problem. A sending service – often a newsletter tool or CRM – is not configured correctly and fails the DMARC check.

Common causes: a missing v=DMARC1 at the beginning, incorrect syntax in the RUA address, missing semicolons between the tags, or the record not being in the right place in the DNS.

SPF allows a maximum of 10 DNS lookups per check. Anyone who has integrated many third-party services quickly exceeds this limit – and SPF fails. This is called an SPF Permerror.

There can be two causes. First: a third-party service that sends in your domain's name and that you didn't explicitly set up. Second: a spoofing attempt. For each sender, the monitoring shows volume, IP address and SPF/DKIM result.