Email Security
The One Protect provides DMARC setup and monitoring, SPF/DKIM validation, and email authentication scoring to protect your clients' domains from email spoofing and phishing.
DMARC Setup and Monitoring
Adding a Domain
- Navigate to Protect → Email Security → Domains
- Click Add Domain
- Enter the domain name
- The One Protect checks for existing SPF, DKIM, and DMARC records
- Follow the guided setup to configure or update records as needed
DMARC Policy Levels
| Policy | Effect | Recommended When |
|---|---|---|
p=none | Monitor only — no emails are rejected | Initial setup, during monitoring phase |
p=quarantine | Failing emails are sent to spam/junk | After monitoring confirms legitimate senders are authenticated |
p=reject | Failing emails are rejected entirely | Full enforcement — all legitimate senders are properly authenticated |
p=none to monitor email flows before enforcing. Moving to p=quarantine or p=reject too quickly can block legitimate email if SPF/DKIM are not fully configured.Recommended DMARC Record
The One Protect generates a recommended DMARC DNS record for each domain:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; pct=100
The rua (aggregate) and ruf (forensic) addresses point to The One Protect for automated report parsing.
SPF Validation
The One Protect checks your SPF record and reports:
- Whether an SPF record exists
- The number of DNS lookups (must be 10 or fewer)
- All authorized sending sources (IP addresses and include mechanisms)
- Any errors or warnings (e.g.,
+allwhich allows anyone to send)
Common SPF Issues
| Issue | Impact | Fix |
|---|---|---|
| No SPF record | Any server can claim to send as your domain | Add a TXT record: v=spf1 include:... -all |
| Too many DNS lookups (>10) | SPF evaluation fails, treated as no SPF | Flatten includes or consolidate sending services |
Using +all or ?all | SPF effectively allows any sender | Change to -all (hard fail) or ~all (soft fail) |
DKIM Validation
The One Protect validates DKIM configuration for each domain:
- Checks for DKIM TXT records at common selectors
- Validates key length (2048-bit recommended)
- Reports on DKIM alignment with the From header domain
DMARC Aggregate Report Parsing
When your DMARC rua address points to The One Protect, aggregate reports from receiving mail servers are automatically parsed and displayed:
- Sender breakdown — Which IP addresses and services are sending email as your domain
- Authentication results — SPF and DKIM pass/fail rates per sender
- Volume trends — Email volume over time by sender
- Unauthorized senders — IP addresses sending as your domain without proper authentication
View parsed reports from Email Security → DMARC Reports → Aggregate.
DMARC Forensic Report Parsing
Forensic (failure) reports provide details on individual emails that failed DMARC:
- The sending IP address
- The email headers
- SPF and DKIM evaluation results
- The reason for failure
View forensic reports from Email Security → DMARC Reports → Forensic.
ruf configuration.Email Authentication Score
Each monitored domain receives an email authentication score from 0 to 100:
| Component | Weight | What It Measures |
|---|---|---|
| SPF | 25% | Valid SPF record with appropriate mechanisms |
| DKIM | 25% | Valid DKIM record with adequate key length |
| DMARC | 30% | DMARC record present with enforcement policy |
| Alignment | 20% | SPF and DKIM alignment with the From domain |
The score updates after each aggregate report is processed. A score of 80+ indicates strong email authentication.
Recommended DNS Records
The One Protect generates the exact DNS records you need for each domain. Navigate to Email Security → Domains → [domain] → DNS Records to see:
- SPF TXT record — The recommended SPF record with all detected legitimate senders
- DKIM TXT record — The DKIM public key record (if generating a new key pair)
- DMARC TXT record — The recommended DMARC record with rua/ruf addresses
Copy the records directly and add them to your DNS provider.