Step by step

Your DMARC Journey

From a folder full of report files to a clear picture of your email security. Follow these steps and you will know exactly who is sending as your domain, and what to do about it.

Collectsave your files
Selectwhat to include
Openlaunch the app
Filterset your domain
Configureset your options
Generaterun the report
Readunderstand the output
Actfix, share, enforce
Before you start
Do you have DMARC set up?

Quick check: Go to mxtoolbox.com/dmarc.aspx, enter your domain, and click Check. If it returns a record starting with v=DMARC1 you already have DMARC set up — skip this section and start at Step 1. If it returns nothing, read on.

DMARC reports do not arrive automatically — you need a DMARC record in your DNS that tells receiving mail servers where to send them. Here is what you need to know to get started.

SPF — A DNS record that lists which servers are allowed to send email as your domain. Most organisations already have one.
DKIM — A cryptographic signature added to outgoing emails. Set up on your email platform, verified in DNS. Confirms the email has not been tampered with.
DMARC — A policy record in DNS that tells receiving servers what to do with mail that fails SPF or DKIM, and where to send reports. This is what generates the report files TrustedMARC analyses.

Create a dedicated mailbox first. Reports arrive as email attachments and can be frequent. We recommend creating a dedicated mailbox for them — something like dmarc@yourdomain.com — rather than using your main inbox. Your DNS or email provider can help you set this up.

Then add a DMARC record to your DNS. A minimal starting record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;

Add this as a TXT record in DNS with the name _dmarc.yourdomain.com. Replace the email address with your new dedicated mailbox. Your domain registrar or DNS provider can help you add it. Use MXToolbox to verify it is visible within 24 hours.

p=none is monitoring-only — it does not block or quarantine any mail, so there is no risk in starting here. Reports will begin arriving within 24 to 48 hours. Wait at least one to two weeks before collecting them for analysis, so you have a meaningful dataset. Then return here and start at Step 1.

1
Collect your DMARC report attachments

DMARC aggregate reports arrive in your inbox as email attachments from receiving mail servers — Google, Microsoft, Yahoo, and others. They are usually compressed files with names like google.com!yourdomain.com!1234567890.xml.gz. Save them all into a single folder on your computer.

Most mail clients let you select multiple emails and save all attachments in one action. The exact method varies — check your client's documentation if you are unsure. TrustedMARC accepts .zip, .gz, and .xml files and scans subfolders automatically, so you can drop everything in without sorting.

You may also have a dedicated mailbox or folder where your DMARC reports are delivered — if so, export attachments from there directly.

Tip: The more reports you include, the more accurate your dataset. Fewer reports increases the chance of missing periodic senders — a monthly invoicing system or quarterly newsletter tool may only appear in certain weeks of data. Aim for at least two to four weeks where possible.
2
Watch out for compiled summary reports

The files you want are the raw aggregate XML reports sent directly by receiving mail servers. These are the originals — each one covers a specific period and comes from a specific provider.

If you use a third-party DMARC monitoring service, they may also send you digest or summary emails — compiled versions of those same reports. These are not the originals. Including them alongside the raw files can inflate your message counts and make the results less accurate. Some also share the same filename as the originals, causing overwrite conflicts when you try to save them to the same folder.

If you have both types in your inbox, the simplest approach is to move the monitoring service emails to a separate folder before exporting, export your attachments, then move them back. It takes a minute and keeps your dataset clean.

Not essential: If separating them is too much trouble, include everything. The results will still be useful — just treat the message volume numbers as approximate rather than exact.
3
Open TrustedMARC and select your folder

Launch the TrustedMARC application. On first launch you will be prompted to enter your licence key — enter it exactly as shown in your purchase confirmation email. Copy and paste is recommended to avoid errors. Once activated, the main window opens and your licence is stored. You will not be asked again.

Click Browse next to Reports Folder and select the folder you saved your attachments into. The output report path is set automatically with a timestamped filename in the same folder. Change it if you prefer a specific location.

First time only: Make sure you have an internet connection when activating your licence for the first time. After activation the app will work offline for up to 14 days before requiring a connection to revalidate.
4
Set a domain filter

If your folder contains reports for multiple domains, enter the specific domain you want to analyse in the Domain filter field — for example yourdomain.com. This focuses the report and allows the DNS record check to fetch the right records.

Leave the field blank to include all domains found across your files in a single combined report.

Important: If you enter a domain that has no matching records in your report files, the app will show an error. This is expected and means none of your saved files contain reports for that domain. Check the spelling matches exactly, or leave the filter blank to see all available domains first.
5
Choose your options

Geolocation — looks up the country, city, and ISP for each sending IP. Makes it much easier to identify unknown senders and spot suspicious traffic. Recommended on, though it adds a few seconds for large report folders.

Reverse DNS — resolves each IP to a hostname, helping confirm whether traffic originates from a known provider's infrastructure. Recommended on.

DNS Records — fetches your current live SPF and DMARC records and includes them in the Health tab alongside recommendations. Requires a domain filter to be set and an internet connection.

6
Generate your report

Click Generate Report. The log area shows real-time progress — files being parsed, IPs geolocated, senders identified. For a typical folder of a few weeks of reports this takes between ten seconds and a couple of minutes, depending on the number of unique IPs to look up.

Larger datasets take longer. A folder covering several months of reports for a busy domain with hundreds of unique IPs may take five to ten minutes or more, particularly with geolocation and reverse DNS enabled. This is normal — leave it running and it will complete.

When complete, the report opens automatically in your default browser. You can reopen it at any time using the Open Report ↗ button in the status bar at the bottom of the app.

If the report seems to hang: Try unticking Geolocation and Reverse DNS before running. These options make external network requests for every unique IP and are the most time-consuming part of the process. Disabling them produces a faster report with slightly less detail — useful for confirming the report completes before enabling them again for a full run. Geolocation and reverse DNS both require an active internet connection.
7
Read the report — start with Health & Actions

The report has three main tabs. Start with Health & Actions. This shows your current DMARC policy level, your live SPF and DMARC records, and a prioritised list of specific recommendations in plain English. This is the most important tab — it tells you what to fix and in what order.

Move to Senders next. This groups all traffic by identified sending service. Google Workspace, Microsoft 365, SendGrid, Amazon SES, Mailchimp and others appear by name with their pass rates. Any unrecognised sender appears as Unknown with ISP and location detail. This is where shadow IT and potential spoofing show up.

Not every sender will be identified by name. TrustedMARC matches IPs against a database of known services — anything not in the database shows as Unknown. This can happen because the service is not yet in the database, because geolocation or reverse DNS returned no useful data, or because the sender is genuinely unrecognised. Unknown does not automatically mean suspicious — investigate volume, pass rate, and location to decide whether it warrants attention.

Finally, IP Detail gives the full breakdown of every sending IP. Sortable and filterable, with a drilldown for each one showing identity, network, geolocation, and authentication detail.

The key question: Do you recognise every sender in the list? Any Unknown sender with significant volume or a high failure rate warrants investigation — it could be shadow IT, a misconfigured legitimate service, or an active spoofing attempt.
Using the filters in IP Detail: The search box filters across all columns at once. The date range picker narrows to IPs active in a specific period — useful for isolating activity around a particular incident. The flag dropdown lets you jump straight to suspicious IPs only. Clicking any row expands a drilldown showing full identity, network, and a per-IP activity chart.
Taking it further with message traces: The IP addresses in TrustedMARC can be used directly in your email platform's admin tools to investigate specific mail flows. For example, in Microsoft 365 you can run a message trace in the Exchange Admin Centre filtering by sender IP. In Google Workspace, Email Log Search in the Admin Console allows the same. Other platforms (e.g. Mimecast, Proofpoint) offer similar functionality. This lets you move from a statistical picture to inspecting the actual emails sent by a specific IP — useful when investigating a suspicious unknown sender or validating a legitimate one.
8
Save, share, and act on your findings

The report is a single self-contained HTML file. Email it to a colleague, share it with your security team, or keep it as a dated record of your domain's authentication posture. Use Export CSV in the report header to download a full spreadsheet of all IP data.

Use Print / Save as PDF from your browser to generate a clean PDF for management reporting or client handoff.

Follow the recommendations in the Health tab to fix authentication gaps: misconfigured senders, missing DKIM signing, and SPF alignment issues. Once all legitimate senders are passing cleanly, you have the evidence to move to a stricter DMARC policy without disrupting legitimate mail.

The goal: Identify every legitimate sender, fix their authentication, then move from p=none → p=quarantine → p=reject. TrustedMARC gives you the visibility to do each step with confidence rather than guesswork.
Run it regularly. Your email environment changes over time — new services get added, configurations drift, and new threats emerge. Running TrustedMARC monthly means you always know exactly which sources are sending as your domain, and nothing slips through unnoticed.
Comparing reports across different time periods

TrustedMARC generates a report from whatever files are in the folder you select. You can use this to compare your DMARC posture across different periods — for example, this week versus last month, or before and after a configuration change.

To do this safely:

1. Copy your DMARC report files into a dedicated working folder — never move or delete the originals. Your originals are your source of truth.
2. Create a folder for each time period you want to compare — for example, dmarc_7days containing the last week of reports, and dmarc_28days containing the last four weeks.
3. Generate a TrustedMARC report from each folder separately, saving each with a descriptive filename.
4. Open the first report in your browser, click the Compare tab, and load the second report.

You will see new senders that appeared, senders that disappeared, and pass rate changes between the two periods — without needing to change any settings or date filters within the app.
Advanced
Running TrustedMARC automatically on a schedule

TrustedMARC supports a headless command-line mode that runs the report engine without opening the GUI. This means you can schedule automatic monthly or weekly reports using your operating system's task scheduler — the app does not need to be open or running in the background beforehand.

The same app you use normally handles both modes. Double-click to open the GUI as usual, or call it from the command line to run silently and produce a report file automatically.

macOS — Terminal or cron

Call the binary inside the app bundle directly:

/Applications/TrustedMARC.app/Contents/MacOS/TrustedMARC /path/to/reports --domain yourdomain.com --output ~/reports/monthly.html --open

To run automatically on the 1st of every month at 9am, add this to your crontab (crontab -e):

0 9 1 * * /Applications/TrustedMARC.app/Contents/MacOS/TrustedMARC /path/to/reports --output /path/to/dmarc_report_monthly.html
Windows — Command Prompt or Task Scheduler

Run the exe directly from Command Prompt or a batch file:

TrustedMARC.exe C:\\path\\to\\reports --domain yourdomain.com --output C:\\reports\\monthly.html --open

To schedule it, open Task Scheduler, create a Basic Task, set your trigger (daily, weekly, or monthly), and point the action at a batch file containing the command above. The report is saved to the output path and opened in your browser automatically if you include --open.

Available options
<folder> — Path to your DMARC reports folder (required)
--domain — Filter to a specific domain. Omit to include all domains
--output — Where to save the HTML report. Defaults to a timestamped file in the reports folder
--no-geo — Skip IP geolocation. Faster, but senders may show as Unknown
--no-rdns — Skip reverse DNS lookups
--no-dns — Skip live SPF and DMARC record check
--open — Open the report in your default browser when complete

Internet connection: Geolocation, reverse DNS, and live DNS record lookups all require an active internet connection at the time the scheduled task runs. Use --no-geo --no-rdns --no-dns if running on a machine without reliable internet access.

Ready to start your DMARC journey?

TrustedMARC is available now for macOS and Windows. One-time purchase, no subscription.

View pricing — from £39 Why it matters