DMARC monitoring · included in every plan
Gmail, Microsoft and Yahoo already email you the truth about who sends as your domain — as XML attachments nobody opens. Norbelys collects them automatically, reads them for you, and tells you exactly what to fix.
One DNS record · No verify button · First answers within a day
acme.com
Policy: p=quarantine · 5 receivers reporting
DMARC compliance · 30 days
94.6%
17,364 messages · 1,842 failing
Who sends as acme.com
What to fix: 1,842 messages were signed with your ESP's default key instead of a key for acme.com. Generate the custom DKIM key in your provider's console and publish the selector it gives you.
Reports flow in from the receivers that matter
The inbox nobody reads
Every day, mailbox providers report every message that claimed to be your domain. The data is gold — the format is unreadable. Same fact, before and after Norbelys:
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<report_id>8412930741896</report_id>
</report_metadata>
<record>
<row>
<source_ip>203.0.113.7</source_ip>
<count>1842</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>acme.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mailer.example.net</domain>
<result>pass</result>
</dkim>
<spf>
<domain>bounce.example.net</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
</feedback> What Norbelys tells you
After1,842 messages from an unknown source are failing DMARC as acme.com.
Their DKIM signature belongs to mailer.example.net — not to you. At your current policy they still reach inboxes; at p=quarantine they'll go to spam.
1
DNS record to set up
0
verify buttons to press
~24h
to your first report
0
XML files you'll ever read
Setup
Norbelys creates a unique collection address for it — the inbox where receivers will send your reports.
Copy, paste into your DNS, done. No extra verification record, no verify button.
Reports are daily digests — the first arrival IS the verification. Your dashboard starts filling within a day.
The one record you'll publish
TXT · _dmarc.acme.comv=DMARC1; p=none; rua=mailto:acme-x7k2@reports.norbelys.com
The highlighted part is your domain's unique collection address — Norbelys generates it when you add the domain.
What you'll see
Each IP that sends as your domain — volume, SPF and DKIM identities, pass rate, last seen. Your providers, your tools, and the impostors.
Not “alignment error”. Cause, consequence and the exact fix — with the sources table as the evidence.
DKIM verifies but doesn't align — messages are signed with your ESP's default key, not yours. Fix: generate this domain's custom key in the provider console.
SPF doesn't authorize your sender — these IPs aren't in your record. Fix: add include:_spf.google.com to your SPF TXT.
Nothing to fix — when a domain is healthy, the diagnosis disappears. No invented urgency.
Daily compliance per domain shows the moment enforcement stops being scary — because it only affects mail that fails.
Receivers re-send digests and pipelines retry. Ours dedupes at two layers, so a re-delivered report never inflates your numbers — honest counting is the house rule here too.
Every raw report is archived too — your evidence, kept.
Other tools sell DMARC monitoring as a separate subscription. We think a sending platform that doesn't watch your domain is half a product — so it ships with every Norbelys plan, from $29/mo.
Is your DMARC even set up? Check your domain free →
Once your domain has a DMARC record with a rua= address, mailbox providers like Google, Microsoft and Yahoo email that address a daily digest of every message they saw claiming to be from your domain: which IPs sent it, whether SPF and DKIM passed, and what the receiver did with it. They're the only ground truth about your domain's authentication — and they arrive as compressed XML attachments that no human reads.
When you add a domain, Norbelys gives it a unique collection address. You publish one DMARC TXT record pointing rua= at that address, and you're done — our reporting zone pre-authorizes your domain as an external destination, so there's no extra verification record and no verify button. The status flips to “receiving” by itself when the first report lands, usually within a day.
Both, but the fix is the point. The diagnosis is rules-based and specific: “1,842 messages were signed with your provider's default key instead of a key for this domain — generate the custom DKIM key in your provider's console”, or “these IPs aren't in your SPF record — add your provider's include”. The sources table below the diagnosis is the evidence.
When your legitimate sources have been passing consistently and the only failures left are traffic you don't recognize. That's exactly what the daily compliance view shows you — and because enforcement only affects mail that fails authentication, a clean pass rate means the move is low-drama.
No — aggregate (rua) reports only, honestly. Most receivers stopped sending forensic reports years ago for privacy reasons, and aggregate reports carry everything you need to reach enforcement.
Neither. DMARC monitoring is part of every Norbelys plan, because a cold email platform that doesn't watch your domain's authentication is selling you half a product. One subscription: sending, sequences, honest analytics, and domain health together.