Hosted DMARC gives you complete visibility over every email sent using your domain — legitimate senders, misconfigured tools, and active phishing attempts. Migomail manages your DMARC policy, processes aggregate reports from every major mailbox provider, and guides you to p=reject without breaking legitimate mail.
Setting a DMARC record is 5 minutes of DNS work. Understanding and acting on DMARC reports is an ongoing programme. Hosted DMARC gives you the platform, the processing, and the expertise to get from p=none to p=reject safely.
DMARC RUA reports arrive as raw XML attachments from Gmail, Outlook, Yahoo, and every other mailbox provider that participates — daily, per-provider. Migomail receives these reports on your behalf, parses the XML, and presents the data as a human-readable dashboard showing which sources are sending email as your domain, their volumes, and their pass/fail rates.
The most valuable thing DMARC reports reveal is the complete list of sources sending email on behalf of your domain — including legitimate senders you configured, legitimate senders you forgot to configure (old ESPs, CRMs, marketing tools), and completely unauthorised sources. Migomail categorises every discovered source and flags the ones that need attention.
Moving from p=none to p=reject requires confidence that every legitimate sender is authenticated. Migomail tracks your authentication pass rate and tells you exactly when it is safe to escalate — and guides you through the pct= (percentage) rollout from 10% to 25% to 50% to 100% to manage risk at each stage.
At p=reject, every email sent using your domain that fails DMARC is rejected before delivery. DMARC aggregate reports show you which providers are seeing these attempts, at what volume, and from which IP addresses — giving you visibility into active phishing campaigns using your brand before your customers report them.
Migomail monitors your DMARC configuration and aggregate report data continuously — alerting you immediately when a new sender source appears using your domain, when an existing authenticated sender starts failing, when your DMARC pass rate drops below threshold, or when a high-volume phishing campaign begins.
BIMI — which displays your brand logo in Gmail and Yahoo subscriber inboxes — requires DMARC at p=reject with pct=100 as a prerequisite. Hosted DMARC tracks your BIMI readiness at every stage of your policy escalation journey, so you reach logo display eligibility as quickly as possible.
Enterprise senders, agencies, and businesses with multiple brands typically send from several domains — yourbrand.com, mail.yourbrand.com, youranotherbrand.com. Hosted DMARC manages separate DMARC configurations for every domain under your account with per-domain dashboards, alerts, and policy escalation tracking.
Many enterprise procurement requirements, ISO 27001 audits, and regulatory frameworks ask for documented evidence of domain authentication controls. Migomail generates exportable DMARC compliance reports showing policy configuration, pass rates, source inventory, and escalation history — in formats accepted by common audit frameworks.
Every DMARC aggregate report from every mailbox provider is processed and merged into a single dashboard. You see who is sending, how much, and whether they are authenticating correctly.
DMARC is not a single DNS record you add and forget — it is a progressive journey from monitoring to full enforcement. Most senders take 6–12 weeks to reach p=reject safely. Hosted DMARC gets you there in under 6 weeks.
Collect DMARC reports from all providers. Discover every sender using your domain. Identify which senders need authentication fixes — without affecting delivery.
Failing emails — including spoofed and phishing attempts — are routed to spam instead of the inbox. Use pct= to roll out gradually: 10% → 25% → 50% → 100%.
Emails failing DMARC are rejected at the SMTP level — never delivered, never seen. Your domain is fully protected against spoofing. BIMI logo display becomes available.
DMARC aggregate reports reveal the complete picture of your domain's email ecosystem. Many companies are surprised to find old ESPs, forgotten CRM automations, and active spoofing attempts all sending under their domain simultaneously.
Setup takes under 15 minutes. Migomail handles everything after that — report processing, source classification, policy guidance, and continuous monitoring.
Measured outcomes from Migomail Hosted DMARC customers — 90-day before/after comparison.
Before Hosted DMARC we had no idea our old SendGrid account from 2019 was still sending 12,000 emails a month as our domain — completely unauthenticated. It showed up in the first DMARC report. Within 48 hours of getting the source discovery view, we had fixed 3 legacy senders we didn't even know existed. Six weeks later we were at p=reject. The ROI in terms of brand protection alone justified the cost immediately.
A phishing campaign used our domain to target our own customers — sending fake invoice emails that looked exactly like our legitimate ones. Our customers were calling us about payments they hadn't made. Before Migomail Hosted DMARC, we were at p=none and could only watch it happen. The Hosted DMARC setup took 15 minutes. Within 24 hours we had complete visibility of the attack source — 4,200 spoofed emails per day from a server in Eastern Europe. We escalated to p=quarantine within the week and p=reject within 3 weeks. The phishing campaign died immediately. Every single one of those 4,200 daily attempts now returns a 550 rejection. The attackers gave up within days of p=reject going live.
The compliance reporting is what made this essential for us. Our ISO 27001 audit required documented evidence of domain authentication controls — specifically that we know every source sending email as our domain, that failing sources are enforced against, and that we have continuous monitoring in place. Migomail's Hosted DMARC generated a single exportable report that covered all three requirements. Our auditor accepted it without any supplementary documentation. Without this, we would have spent days pulling together DNS screenshots and raw XML files.
“Rackwave Technologies has significantly improved our marketing performance while providing reliable cloud services. We’ve been using their solutions for a while now, and the experience has been seamless, scalable, and results-driven.”
David Larry
Founder & CEO
Common questions about Hosted DMARC and email authentication.
A standard DMARC record points the rua= (aggregate report) address to a mailbox you own. The problem: DMARC reports are sent as XML email attachments from dozens of providers simultaneously — often hundreds of reports per day for high-volume senders. Reading, parsing, and acting on raw XML is impractical without tooling. Hosted DMARC means Migomail receives those reports on your behalf, parses them, presents the data as a human-readable dashboard, classifies every sender source, and alerts you to problems. The DNS record still lives on your domain — the difference is where the reports go and who processes them.
Adding the DNS record takes 5–15 minutes depending on your DNS provider. Migomail generates the exact TXT record value — you copy and paste it. After that, DMARC reports begin arriving within 24 hours (Google sends reports daily; most other providers send them within 24–48 hours). Your source discovery dashboard populates as reports arrive over the first 2–3 days.
At p=none (the starting policy), DMARC has zero impact on delivery — it only generates reports. At p=quarantine and p=reject, emails that fail DMARC authentication are affected. This is why Hosted DMARC starts at p=none: you spend 2–3 weeks identifying every legitimate sender and fixing their authentication before escalating to enforcement. Migomail tracks your authentication pass rate and only recommends escalating when the pass rate is above 99% for at least 7 consecutive days.
DMARC aggregate reports (RUA — Reporting URI for Aggregate reports) are XML files sent by mailbox providers (Gmail, Outlook, Yahoo, etc.) to your DMARC reporting address. Each report covers a 24-hour period and contains: the provider sending the report, each IP address that sent email claiming to be from your domain, the volume of messages from each IP, the DKIM result for each source (pass/fail), the SPF result for each source (pass/fail), and the DMARC disposition (delivered/quarantined/rejected). The reports are factual delivery data from the provider — not estimates.
p=none: Report only — failing emails are delivered normally. Zero enforcement, maximum visibility. p=quarantine: Failing emails are sent to the spam/junk folder. Partial enforcement — phishing and spoofed emails are deprioritised but still potentially visible to recipients. p=reject: Failing emails are rejected at the SMTP level — the sending server receives a 550 rejection code and the email is never delivered. Complete enforcement — spoofed emails using your domain cannot reach your customers. p=reject is the target for every domain owner.
By default, a DMARC policy at the organisational domain (yourbrand.com) applies to the domain itself. Subdomains are covered by the sp= (subdomain policy) tag in your DMARC record. Migomail configures both the main domain policy and the subdomain policy, and the dashboard shows source data separately for each subdomain that appears in your reports.
BIMI (Brand Indicators for Message Identification) displays your brand logo next to your emails in Gmail and Yahoo inbox list views. For Gmail BIMI, your domain must have DMARC at p=reject with pct=100, plus a Verified Mark Certificate (VMC). For Yahoo BIMI, a VMC is optional. Hosted DMARC tracks your BIMI readiness at every stage — showing when you reach p=reject eligibility and what remaining steps are needed for the VMC application.