Email Security
The Email Security module manages SPF, DKIM, and DMARC for your clients' sending domains and provides deep analysis of DMARC aggregate reports.
DMARC reports are included in the User Protection package. Full email security domain management and alerting is available on the full Security platform.
Domain Management
Navigate to Email Security → Domains to add and monitor sending domains.
For each domain, The One Security validates:
- SPF record presence and syntax
- DKIM key publication
- DMARC record presence, policy (
p=none/quarantine/reject), and RUA reporting address
Common misconfiguration warnings are surfaced inline with suggested fixes.
Email Alerts
Navigate to Email Security → Alerts for notifications when:
- DMARC alignment drops below threshold
- SPF or DKIM failure rates spike
- A new unauthorized sender appears
DMARC Reports
Navigate to Email Security → DMARC Reports for full aggregate report analysis.
How DMARC Reports Work
DMARC RUA (aggregate) reports are XML files sent daily by mail receivers (Google, Microsoft, etc.) to the rua=mailto: address in your DMARC record. These reports show who sent email on behalf of your domain and whether it passed DKIM and SPF authentication.
To receive DMARC reports in The One Security, set your DMARC record's rua tag to:
rua=mailto:[email protected]
Reports are automatically ingested and parsed every 4 hours.
Manual Upload
You can also upload DMARC report files manually. Click Upload Report and select a .xml, .zip, or .gz file. The report is parsed immediately and its records are added to the Senders and Reports tabs.
Domain Selector
If you manage multiple sending domains, use the domain selector to filter all views to a single domain.
Summary Metrics
| Metric | Description |
|---|---|
| 30-Day Pass Rate | Percentage of messages that passed DMARC alignment |
| Total Messages | Total messages reported across all parsed reports |
| Unauthorized Senders | Senders sending from your domain without authorization |
| Policy | Current DMARC policy (none, quarantine, or reject) with recommendation |
Senders Tab
The Senders tab shows every IP address that sent email claiming to be from your domain, aggregated from all parsed reports.
| Column | Description |
|---|---|
| Sender | Identified label for the sending IP (e.g., "Google Workspace", "SendGrid") |
| IP | Source IP address |
| Volume | Number of messages from this sender |
| Pass Rate | Percentage of messages from this sender that passed DKIM and SPF |
| Status | Authorized / Unauthorized / Unknown |
| Action | Authorize or Remove Authorization |
Rows highlighted in red indicate unauthorized senders — IPs sending email claiming to be from your domain that you have not approved. These may indicate spoofing attempts.
Reports Tab
The Reports tab lists every individual DMARC aggregate report received, with:
- Reporting organization (Google, Microsoft, etc.)
- Date range covered
- Total message count
- Overall pass rate
- Policy applied
Click View to open the full report detail, including a per-record breakdown of each source IP with DKIM result, SPF result, and disposition.
Timeline Tab
The Timeline tab shows the daily DMARC pass rate for the last 30 days as a horizontal bar chart. Color coding:
- Green (≥95%) — Strong alignment
- Yellow (≥80%) — Acceptable but review senders
- Red (below 80%) — Significant alignment failures, action required
p=none does not protect against spoofing — it only provides visibility. Work toward p=quarantine then p=reject as you identify and authorize all legitimate senders.