By default, CanIt-Domain-PRO does not apply DMARC policies. To make CanIt-Domain-PRO start applying DMARC policies for your domain, you need to click on Rules and then DMARC rules:

CanIt-Domain-PRO can apply four possible actions in response to DMARC policies. The actions are:

  • Ignore: no DMARC checking is done whatsoever.
  • Dry-Run: the DMARC policy is checked, but not enforced. The only thing CanIt-Domain-PRO does is to log the DMARC policy results in the list of tests that are hit.
  • Quarantine: if the DMARC policy specifies “reject” or “quarantine”, the message is quarantined (tagged in a tag-only stream.)
  • Enforce: the DMARC policy is enforced: If the DMARC policy specifies "reject", the message is rejected. If it specifies "quarantine", the message is quarantined (tagged in a tag-only stream.)

To set a DMARC action for a domain:

  1. Enter the domain name in the Domain box. If you use a single asterisk for the domain name, then that action applies to any domains that do not have a specific entry.
  2. Select the appropriate action in the Action column.
  3. Click Submit Changes.

In the example in the figure, we see that by default, CanIt-Domain-PRO will check the DMARC record in dry-run mode only. However, for the two domains interfax.net and yahoo.com, CanIt-Domain-PRO will enforce the DMARC policy.

If an incident results in a "quarantine" DMARC policy, then it is annotated with the word "DMARC" with a red slash through it in the quarantine display, like this: 

This indicates a possibly forged message. Additionally, the "Hold Reason" is set to DMARC.

By default, only realm administrators have permission to make DMARC rules.

Click below to access the full user guide.


Create a free OnDMARC account to test your configuration.


Did this answer your question?