SPFmonitor - Check your email security

Email Protection Policy

Main Policy *

Monitor Only (none)
Track all email but take no action. Perfect for testing and getting baseline data.

Quarantine (quarantine)
Send suspicious emails to spam/junk folder. Good middle ground.

Reject (reject)
Block unauthorized emails completely. Maximum security but use carefully.

Recommendation: Start with "Monitor Only" to understand your email flow, then gradually strengthen.

Subdomain Policy (optional)

Same as main policy
Use the same policy for subdomains (most common choice)

Monitor Only
Only monitor subdomains, even if main policy is stricter

Quarantine

Reject

Policy Coverage

Percentage of emails affected by policy

Gradual rollout recommended:
Start with 10% to test your setup, then gradually increase to 25%, 50%, and finally 100% as you gain confidence.

What does this mean?

If you set 25%, only 1 out of 4 emails will be subject to your DMARC policy. The other 75% will be processed normally. This allows you to test safely.

Reporting Configuration

Monitoring

Use SPFmonitor monitoring
Keep existing RUA and RUF destinations (if any) and also add SPFmonitor as an additional recipient.

Use only SPFmonitor monitoring
Send RUA and RUF reports only to SPFmonitor. Any other destinations will be removed.

Do not use SPFmonitor monitoring
Do not add SPFmonitor. Any existing destinations remain unchanged.

Aggregate Reports (RUA) Email addresses for daily summary reports. One per line or comma-separated. "mailto:" will be added automatically.

Forensic Reports (RUF) Email addresses for detailed failure reports. Warning: May contain sensitive data!

Authentication Alignment

What is alignment?
Alignment determines how strict DMARC is when checking if SPF and DKIM match your domain. Relaxed mode allows subdomains, strict mode requires exact matches.

SPF Alignment Mode

Relaxed (default)
Allows subdomains. Example: mail.example.com can send for example.com

Relaxed (explicit)
Same as default but explicitly specified

Strict
Exact domain match required. More secure but can break legitimate email.

DKIM Alignment Mode

Relaxed (default)
DKIM signature domain can be a subdomain of your main domain

Relaxed (explicit)
Same as default but explicitly specified

Strict
DKIM signature must match your exact domain. Use only if you understand the implications.

Expert zone: These settings are for advanced users who understand DMARC forensic reporting. Most domains can skip this section.

Failure Reporting Trigger (fo)

All must pass (0 - default)
Send forensic report only if both SPF and DKIM fail alignment

Any failure (1)
Send report if either SPF or DKIM fails (generates more reports)

DKIM failure only (d)
Send report only when DKIM fails alignment

SPF failure only (s)
Send report only when SPF fails alignment

Forensic Report Format (rf)

AFRF (default)
Authentication Failure Reporting Format - most widely supported

IODEF
Incident Object Description Exchange Format - rarely used

Report Interval (ri)

seconds

How often to request aggregate reports. Default: 86400 seconds (24 hours). Minimum: 3600 seconds (1 hour).

DMARC Checker (analysis)

DMARC Generator

Email Protection Policy

Policy Coverage

What does this mean?

Reporting Configuration

Authentication Alignment

DMARC Record Editor

Detailed Scoring 0/0

DMARC

DMARC Checker (analysis)

DMARC Generator

Email Protection Policy

Policy Coverage

What does this mean?

Reporting Configuration

Authentication Alignment

Advanced Options (for experts - usually not needed)

DMARC Record Editor

Detailed Scoring 0/0

DMARC