How-to

Set up DMARC monitoring in Blankitt — overview

The four-step journey from connecting your first domain to reaching a fully enforced DMARC policy, with links to the detailed how-to for each step.

3 min readLast updated 14 June 2026
Jump to section

Blankitt DMARC helps you take your domain's email authentication from monitor-only (p=none) all the way to full protection (p=reject) without blocking any legitimate mail along the way. This overview shows the whole journey so you know what to expect; each step links to a detailed how-to.

The Getting Started page in the app mirrors these steps as a live 4-step checklist that ticks off automatically as you go, so you can always see where you are.

The four steps

Step 1 — Add your first domain

Tell Blankitt which domain you want to monitor. Go to Domains and add it. This creates a place for reports and DNS checks to land.

See: Add your first domain.

Step 2 — Get aggregate reports flowing in

DMARC works by having mailbox providers (Google, Microsoft, Yahoo and others) send you daily aggregate (RUA) reports about mail claiming to be from your domain. You need to point those reports at Blankitt. There are two ways:

  • Direct ingest (recommended): publish your unique Blankitt ingest address in your domain's _dmarc DNS record. Reports then arrive at Blankitt automatically.
  • Mailbox sync: if reports are already arriving in a Microsoft 365 or Google Workspace mailbox, connect that mailbox and Blankitt will import them.

You can also manually upload report files (.xml/.gz/.zip) on the Reports page at any time.

See: Find your ingest address and publish your _dmarc record and Connect a Microsoft 365 or Google Workspace mailbox.

Step 3 — Identify and align your legitimate senders

Once reports are flowing (typically within a day or two), the app shows you every source sending mail as your domain. Use these pages:

  • Dashboard — summary stats, trends, top offenders and domains needing attention.
  • Offenders — sending sources failing DMARC, with vendor attribution so you can recognise legitimate senders (SendGrid, Mailgun, AWS SES, Microsoft 365, Google and more).
  • Fix Groups — grouped remediation suggestions that tell you exactly what to change.
  • Domain detail — your compliance grade (A–F), a 6-dimension Compliance Scorecard, SPF flattening and drift detection, and DKIM selector management.

The goal of this step is to make sure all your real senders pass aligned SPF or DKIM. This is the part that takes the most attention, and it's where Blankitt does the most work for you.

Step 4 — Tighten your policy

When your legitimate mail is consistently aligned, move your DMARC policy forward: nonequarantinereject. The Policy Progression Wizard on each domain's detail page gives you readiness checklists and next steps for each stage, so you only advance when it's safe.

See the DMARC policy progression guidance under Policy.

How long does it all take?

Most organisations spend 1–2 weeks at p=none collecting reports and aligning senders before moving to quarantine, then a further period monitoring before reject. The actual work is small once reports are flowing — most of the elapsed time is simply waiting for providers to send enough data.

Where to go next

  • Add your first domain
  • Find your ingest address and publish your _dmarc record
  • Connect a Microsoft 365 or Google Workspace mailbox
  • How long until I see data?

Still stuck? Email support or open the support widget in the bottom-right.