Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-dmarc-manager-portal

DMARC Manager portal

You must have a DMARC Manager license to use this feature.

The DMARC Manager portal provides a comprehensive view of your domain's email authentication and compliance. The portal provides in-depth reporting and visibility into how senders use your domains to send email and whether those messages comply with DMARC policies.

Go to My Products > Email Protection > DMARC Manager, then click Manage DMARC in the upper right. You'll be redirected to the DMARC Manager portal.

From the portal, you can also perform CNAME-based DNS validations through DMARC, SPF, DKIM, BIMI, TLS-RPT, and MTA-STS records. You can configure a CNAME record once and manage future changes directly from the DMARC Manager portal.

To learn more about DMARC and how it works, see DMARC Overview.

What you can do

The DMARC Manager portal allows you to manage your domain authentication setup, review sender activity, and track your overall DMARC compliance.

Here are some of the key things you can do in the portal:

  • Monitor domain health with a summary of reporting status and DMARC-compliant email volume.
  • View which services or servers are sending emails on behalf of your domains.
  • Approve valid senders to improve compliance and reduce false positives.
  • Set up and verify DMARC, SPF, DKIM, BIMI, TLS-RPT, and MTA-STS DNS records.
  • Track authentication trends over time using charts and historical data.
  • Set up alerts for compliance changes, new senders, or DNS verification issues.

Dashboard

The dashboard provides detailed information on your domain authentication status and email security posture. It shows how many domains have DMARC Reporting turned on, the percentage of messages that meet enforcement policies, and the number of approved and unapproved senders.

You can view trends in email volume and compliance over time, assess which domains or senders might need attention, and access detailed reports for further investigation. The dashboard is your central view for monitoring DMARC performance and improving domain protection.

Click any link in the dashboard for more details.

For more information on the dashboard, see Dashboard.

DMARC Manager portal dashboard.

Reports

This section includes detailed views for email senders, TLS-RPT reports, and failure reports. Use these reports to monitor authentication behavior and troubleshoot issues across your domains.

Email Senders

The Email Senders report provides a comprehensive overview of the sources sending email on behalf of your domain. You can analyze sender behavior based on three key aspects: Compliance, Deliverability, and Reputation. The report helps you assess whether mail servers properly authenticate the messages, deliver them, and trust the sending sources.

For more information on this report, see Email Senders Report Overview.

In this report, you can do the following actions:

  • View detailed sender data, including IPs, hostnames, volumes, and DMARC results.

  • Assign a category to each sender to help organize and filter reporting data.

    For more information on the categories, see Email Sender Categories.

  • Identify misconfigurations, unauthorized sources, and risky behavior through compliance and delivery comparisons.

Compliance

The Compliance tab shows how senders are performing against DMARC policies. It shows whether emails pass or fail authentication checks and provides insights into compliance rates.

For more information, see Compliance Report.

"Compliance" tab in Email Senders report.

Deliverability

The Deliverability tab shows whether your domain's emails are being delivered successfully or blocked due to policy enforcement.

For more information, see Deliverability Report.

"Deliverability" tab in Email Senders report.

Reputation

The Reputation tab helps you assess the trustworthiness of senders. It shows which senders have been classified as untrustworthy and whether their emails are clean or flagged. This view helps prioritize remediation efforts and maintain a strong domain reputation.

For more information, see Reputation Report.

"Reputation" tab in Email Senders report.

TLS-RPT Reports

The TLS-RPT Reports dashboard shows how successfully email servers establish secure connections using TLS when sending email to your domain. These reports help you monitor encryption issues that could affect message confidentiality or delivery.

In this report, you can do the following actions:

  • View trends of successful and failed TLS connections over time.
  • See which reporting organizations are experiencing issues.
  • Check each sender's policy mode and type to identify configuration issues.
  • Use insights to find TLS or MTA-STS gaps and improve security.

For more information on this report, see TLS-RPT Reports Overview.

TLS-RPT Reports.

Failure Reports

The Failure Reports dashboard shows detailed forensic data for individual email messages that failed DMARC authentication. These reports help you investigate suspicious or unauthorized sending activity.

In this report, you can do the following actions:

  • See message-level details, including return path, IP address, and authentication results.
  • Identify the type of failure and whether the message was delivered or rejected.
  • View detailed info like feedback type, source domain, and incident count.
  • Download the report for further investigation or recordkeeping.

For more information on this report, see Failure Reports Overview.

Failure Reports.

Domain configuration

The Domains page shows the domains you've added to DMARC Manager. It provides key details like DMARC score, verification status, policy enforcement level, and domain type.

On this page, you can do the following actions:

  • View each domain's DMARC configuration and compliance score at a glance.
  • Check verification status and policy mode such as none, quarantine, or reject.
  • Set a domain as primary, mark it as parked, or access detailed reports and logs.
  • Add and manage domains directly from this page.

Domains page.

Configuring domains requires setting up records and adding them to your DNS. DMARC Manager supports both CNAME and TXT records. CNAME allows the system to manage DNS changes automatically, while TXT requires manual updates.

Warning

If you're using Cloudflare, make sure you turn off the DNS proxy when configuring a new CNAME record. The proxy is turned on by default, and leaving it on might break the DNS validation or resolution process. For more information, see Proxy status.

Go to the tab to configure the DNS records and reporting settings for your selected domain.

To configure DMARC, do as follows:

  1. In the DMARC tab, set your policy and reporting preferences.
  2. Click Save.
  3. Click View Setup Instructions.
  4. Add the CNAME record to your DNS.
  5. Click Verify to verify the record.
  6. After verification, click Save to apply changes.

For help, see DMARC Configuration Settings & Setup.

To configure SPF, do as follows:

  1. In the SPF tab, add a new SPF directive.
  2. Set your SPF preferences.
  3. Click Save.
  4. Click View Setup Instructions.
  5. Add the TXT record to your DNS.
  6. Click Verify to verify the record.
  7. After verification, click Save to apply changes.

For help, see SPF Settings.

To configure DKIM, do as follows:

  1. In the DKIM tab, click Enable DKIM Management.
  2. If prompted, click Enable DKIM Management.
  3. Add a new public key.
  4. Set your DKIM preferences.
  5. Click Save.
  6. Click View Setup Instructions.
  7. Add the NS records to your DNS.
  8. Click Verify to verify the record.
  9. After verification, click Save to apply changes.

For help, see DKIM Settings.

To configure BIMI, do as follows:

  1. In the BIMI tab, click Enable BIMI Record Hosting.
  2. If prompted, click Enable BIMI Record Hosting.
  3. Add a BIMI logo.

  4. (Optional) Add a Verified Mark Certificate (VMC).

    Adding this certificate isn't required, but it helps show your logo in more email clients that support VMC validation.

  5. Click Save.

  6. Click View Setup Instructions.
  7. Add the CNAME record to your DNS.
  8. Click Verify to verify the record.
  9. After verification, click Save to apply changes.

For help, see BIMI Settings.

To configure TLS-RPT, do as follows:

  1. In the TLS-RPT tab, click Enable TLS-RPT Reporting.
  2. If prompted, click Enable TLS-RPT Reporting.
  3. Add an email address where mail servers will send the reports.
  4. Click Save.
  5. Click View Setup Instructions.
  6. Add the CNAME record to your DNS.
  7. Click Verify to verify the record.
  8. After verification, click Save to apply changes.

For help, see TLS-RPT Settings.

To configure MTA-STS, do as follows:

  1. In the TLS-RPT tab, click Enable MTA-STS Hosting.
  2. If prompted, click Enable MTA-STS Hosting.
  3. On the policy level, click View Setup Instructions.
  4. Add the CNAME record of the MTA-STS policy to your DNS.
  5. Click Verify to verify the record.
  6. On the record level, set the preferred policy enforcement level.
  7. Click Save.
  8. Click View Setup Instructions.
  9. Add the CNAME record of the MTA-STS record to your DNS.
  10. Click Verify to verify the record.
  11. After verification, click Save to apply changes.

For help, see TLS-RPT Settings.

How the score is calculated

Your Domain Score shows how well your DNS records protect your domain against impersonation, privacy threats, and branding issues. It reflects the strength of your DNS-based email authentication and security records. For information, see Domain Score.

Domain Score.

The score is broken down into three weighted categories.

Category Weighting Contribution details
Impersonation 80% Based on DMARC, SPF, and DKIM
Marketing 5% Based on BIMI
Privacy 15% Based on TLS-RPT and MTA-STS

To learn more about how your score is calculated, see the sections below.

Impersonation (80%)

Impersonation evaluates how well your domain's email authentication methods protect it from spoofing and phishing attacks. DMARC has the highest impact on this score.

  • If DMARC is missing, misconfigured, or set to None, you'll receive a low score.
  • If DMARC is set to Quarantine, you'll receive a moderate score.
  • If DMARC is set to Reject, you'll receive a high score.
  • If SPF and DKIM aren't properly configured or don't align with your DMARC policy, your score might be reduced.

Marketing (5%)

Marketing assesses how your domain supports brand recognition through email.

  • If you don't have a BIMI record, you'll receive a score of 0.
  • If you have a valid BIMI record with a Verified Mark Certificate (VMC), you'll receive a score of 5.

The score reflects your domain's current configuration and might not include recent DNS changes.

Privacy (15%)

Privacy measures the level of encryption and security applied to email delivery.

  • If TLS-RPT or MTA-STS is missing, you'll receive a score of 0.
  • If one record is missing or values are incomplete, you'll receive a score between 1 and 3.
  • If both records are present and MTA-STS is set to In Testing, you'll receive a score of 4.
  • If both records are present and MTA-STS is set to Enforced, you'll receive a score of 5.

Alerts

The Alerts page lets you create and manage notifications for important domain activities and changes. You can choose from various alert types, such as compliance score changes, DNS verification issues, and newly detected senders.

On this page, you can do the following actions:

  • Set up alerts for specific events such as compliance drops or DNS setup failures.
  • Specify how frequently alerts are sent.
  • Define email recipients for each alert.

Note

If you're missing an alert, make sure to check your junk or spam folder for emails from alert@sophosdmarc.com.

For more information on the Alerts page, see Alerts.

Alerts page.