This article will provide a guide on how to manage the DMARC record configuration in the Valimail Enforce platform for both the root domain and subdomains. 

If you are using the Valimail Monitor product, please check this article. 

To manage your DMARC record in Valimail, you'll need to point your domain's DMARC record to Valimail using either a NameServer (NS) or CNAME record. These instructions provide a detailed guide on how to do this. Please note that pointing DMARC to Valimail using a TXT record, will allow us to receive aggregate feedback reports for your domain, but it will not enable you to manage the DMARC record in Enforce. 

Managing DMARC for the root domain

After pointing your domain's DMARC record to Valimail with either an NS or CNAME record, you can proceed with the following steps to access the domain's configuration page and make changes to the DMARC record.

  1. Log into Enforce.
  2. Go to Domains on the left. 
  3. From the list of domains, click on the domain name that you want to update. 

The section at the top of the domain configuration page is where the DMARC record can be managed.

dmarc record, sending status, add external reporting domain

1. Configured Status: Contains the current DMARC record and also the section for adding an additional Aggregate Report Address. 

2. DMARC policy: The option to change the DMARC policy. 

3. Sending Status: Changing the Sending Status. In case the domain is sending authenticated emails the status should be kept on Active at all times. 

4. Add External Reporting Domains. 

Configuration Status

In this section, we will indicate if the DMARC record is pointing to Valimail using an NS or CNAME record.


Configured: DMARC is pointing to Valimail with an NS or CNAME record. 

Not Configured: DMARC is not pointing to Valimail. 

Reporting Only: DMARC is pointing to Valimail with a TXT record. 

Clicking on the Not Configured and the Reporting only statuses will open a window displaying the instructions to point DMARC to Valimail with an NS record. Clicking on the Configured status will open the window where you can see the current DMARC record as well as the section where you can add additional reporting addresses. 

dmarc record, aggregate reports

Changing the DMARC policy

To change the DMARC policy you will have to follow these steps: 

  1. Click on the DMARC Policy.Dmarc policy
  2. Select the desired policy (None, Quarantine, or Reject). None, Quarantine, Reject
  3. Click the Change Policy button on the confirmation window. change policy

Advanced Options 

At the bottom of the Set DMARC Policy window, you will find Advanced Options. Enforcement Percentage, Subdomain Policy, Strict Alignment

Enforcement Percentage: With this option, you can choose the percentage of messages that should be subject to the p=quarantine or p=reject policy. The default setting is 100%, meaning that all mail is subjected to DMARC processing, which is also the recommended percentage. 

Subdomain Policy: Set a DMARC policy for the subdomains under the apex domain. The default setting is “Domain Policy - Use the policy defined for the domain,” which means that the subdomains will inherit the policy from the apex domain. 

Strict Alignment: This refers to DKIM/SPF alignment, which has two modes: relaxed (option is unchecked) and strict (option is checked). Strict alignment (option is checked) means that the sender domain needs to match exactly the DKIM signing domain (d=domain parameter in the email header) or the domain in the MAIL FROM command (for SPF). The default setting is ‘Relaxed’ (the option is unchecked in the UI), which allows you to use subdomains for SPF and DKIM authentication when the sender domain is your apex domain, or vice-versa.  

Sending Status 

For a complete guide on managing the Sending Status, please see this article. 

Any domain that is sending authenticated emails, should have an Active sending status at all times. 

Add External Reporting Domains

To learn what external reporting domains are, and when they should be used, please read the following article

External reporting domains cannot be managed in Valimail if DMARC is pointing to us with a CNAME or TXT record. 

Managing DMARC for a subdomain

Subdomains automatically inherit the DMARC policy from the root domain, but the DMARC specification allows domain owners to publish a DMARC record on a subdomain and manage the policy for it independently from the root domain. 

If you have already pointed the DMARC record for your subdomain to Valimail using an NS or CNAME record, you can use the following steps to manage DMARC for that subdomain.

  1. Open the domain's configuration page. 
  2. Scroll down to the subdomain in question, and click on its name. subdomain
  3. Click on the DMARC Policydmarc policy
  4. Click on the acknowledge checkbox then click on Continuecontinue
  5. Select the desired Enforcement policy. None, Quarantine, Reject
  6. Click on Change Policy. change policy

In case you did not publish a DMARC record on the subdomain, the subdomain will inherit the policy from the root domain, which is the recommended configuration. In this case the configuration page will show a "Configured" status on the subdomain. 

If the subdomain has a DMARC TXT record published, the configuration page will show a "Not Configured" status on that subdomain, regardless if the DMARC record is pointing to Valimail or not. 

As always, if you have any questions, please don't hesitate to submit a ticket