This article is intended for customers using the paid version of our product, Enforce. Customers using our free product, Monitor, should review our Getting Started articles.



With Valimail Enforce, managing a DMARC record can be done with just a few clicks. 


To view your DMARC record configuration, follow these steps: 

  1. Go to the Domains Page (click 'Domains' on the left, below Account Overview) 

  2. Click on the domain name (on the left side). 

  3. Look under the ‘Enforcement and Reporting’ section. 


a screenshot of a computer


  1. The domain(or subdomain) name.

  2. The DMARC policy currently set for the domain/subdomain above it. 

  3. Allows you to set a different DMARC policy. Once updated the policy goes into effect immediately, as there is no delay caused by DNS propagation. For the “Advanced Options” see the section below. 

  4. The Status of the DMARC record.

    • Configured - the domain is pointing the DMARC record to Valimail, using an NS record (or CNAME if applicable). 

    • Not Configured - the domain is not pointing the DMARC record to Valimail, or it’s pointing it using a TXT record (using a TXT record will not allow you to manage DMARC in the platform). Note: Clicking on the red sign next to “Not Configured” will reveal the instructions to point DMARC to Valimail. 

  5. Add an “Aggregate Report Email Address” by clicking on the + button. 

  6. Add a “Failure Report Email Address” by clicking on the + button.

    • Note: Valimail does not process failure reports because they contain Personal Identifiable nformation (PII) that is not required to complete your enforcement project. 

  7. To add a subdomain on which you will configure a separate DMARC policy. 



DMARC policy Advanced Options

Clicking on “Show Advanced Options” in the “Change the DMARC policy” window, will reveal the additional settings for your DMARC record. 

  1. Domain Policy a screenshot of a computer

    • Change the enforcement policy from p=none to p=quarantine, or p=reject.

  2. Subdomain Policy 

    • Set a DMARC policy for the subdomains under the apex domain. 

    • The default setting is “Domain Policy - Use the policy defined for the domain,” which means that the subdomain will inherit the policy from the apex domain. 

  3. Enforce Policy on this % of Messages

    • Specify what % of messages you want to be enforced by the p=quarantine or p=reject policy. 

    • The default setting is 100%:all mail is subjected to DMARC processing, which is also the recommended %. 

    • For more information about percentages and why we recommend full enforcement please see this blog post.

  4. Only authenticate with DKIM/SPF if the domain is an exact match. 

    • This refers to DKIM/SPF alignment, which has two modes: relaxed (option is unchecked) and strict (option is checked). 

    • Exact match or strict alignment (option is checked) means that the sender domain needs to match exactly the DKIM signing domain (d=domain parameter in the email header) or the domain in the MAIL FROM command (for SPF). 

    • The default setting is ‘Relaxed’ (the option is unchecked in the UI), which allows you to use subdomains for SPF and DKIM authentication when the sender domain is your apex domain, or vice-versa.