DMARC Policy Wizard

Available on: Pro Elite

1. What This Feature Does

The DMARC Policy Wizard guides you through a five-stage progression from monitoring-only DMARC policy to full reject enforcement. At each stage, the wizard tracks pass rates and message volumes, evaluates whether your configuration is ready to advance, and provides recommendations on when to move to the next enforcement level. The wizard prevents premature advancement to stricter policies that could cause legitimate email to be rejected by recipient servers.

Each stage has a minimum duration, a pass rate threshold, and a percentage of messages to which the policy applies. The wizard automatically collects metrics from your DMARC aggregate reports and evaluates whether your email authentication infrastructure is stable enough to handle stricter enforcement without disrupting mail delivery.

2. When You Should Use It

You have configured SPF and DKIM for your domain and are ready to implement DMARC enforcement gradually.
You want to avoid accidentally blocking legitimate mail by advancing to reject policy too quickly.
You are deploying DMARC for the first time and need structured guidance on safe enforcement progression.
You need data-driven recommendations on when your email authentication infrastructure is ready for stricter policies.
You want to track historical pass rates and message volumes as you advance through enforcement stages.

3. When You Should Not Use It

No DMARC reports: The wizard requires DMARC aggregate reports to calculate pass rates. If no reports are being sent to your configured RUA addresses, the wizard cannot evaluate readiness.
Already at reject policy: If your domain already has a DMARC policy of p=reject at 100%, the wizard has no further stages to advance through.
Manual policy control required: If you need to set custom policies outside the wizard's five-stage progression, use the DMARC Management interface directly.
Instant enforcement needed: The wizard enforces minimum durations at each stage (7 or 14 days). If you need to move to reject policy immediately, configure DMARC manually instead of using the wizard.
Free or Plus plans: The wizard is only available on Pro and Elite plans. Use standard DMARC configuration on lower plans.

4. Prerequisites

A Pro or Elite plan subscription.
A managed DNS zone with DMARC configuration enabled.
SPF and DKIM records published and aligned with your domain.
DMARC aggregate reporting (RUA) configured and receiving reports from recipient domains.
At least 100 messages sent from your domain to generate meaningful pass rate statistics.

5. How It Works (Brief)

When you open the wizard for a zone, the system checks whether a progression record exists. If not, it creates one and starts you at the monitoring stage with policy=none and pct=100%. Each night at 02:00 UTC, a cron job aggregates DMARC report data from the past 7 days and updates your current stage metrics: total messages processed, DMARC pass rate, and days elapsed at the current stage.

When you request a recommendation, the wizard evaluates whether you have met the minimum days, collected enough messages, and achieved the required pass rate threshold for your current stage. If all conditions are met, the recommendation is ready_advance. If not, the wizard explains which blocker is preventing advancement (insufficient data, low pass rate, or minimum days not met).

When you advance, the wizard records the current stage metrics into the stage history, updates the DMARC configuration to the next stage's policy and percentage, regenerates the DMARC TXT record in DNS, and resets the stage counters to begin tracking the new stage.

6. How to Use It

Opening the wizard

Navigate to Dashboard > Email Authentication.
Select the Wizard tab at the top of the page.
If you are on a Free or Plus plan, an upgrade prompt is displayed. Pro and Elite users see the zone selector.
Select the zone you want to manage from the dropdown. The wizard loads progression data for that zone.

Viewing progression status

After selecting a zone, the wizard displays:

Progress bar: Five stages displayed horizontally. The current stage is highlighted with a colored ring. Monitoring stages are blue, quarantine stages are yellow, and reject stages are green.
Current Status card: Shows the active policy badge (e.g., "quarantine @ 10%"), days at the current stage, total messages processed, and DMARC pass rate. Pass rate is color-coded: green if above threshold, red if below.
Recommendation card: Displays the wizard's recommendation (Ready to Advance, Keep Monitoring, Need More Data, Investigation Needed, or Full Enforcement Active). The card border color matches the recommendation type. If blockers exist, they are listed below the recommendation reason.
Stage history: Chronological list of all completed stages, showing policy, percentage, pass rate, and message count for each.

Interpreting recommendations

Recommendation	Meaning	Action
Ready to Advance	Pass rate meets threshold, minimum days elapsed, sufficient data collected.	Click the "Advance to [next stage]" button to move forward.
Keep Monitoring	Below minimum days at current stage, but pass rate is acceptable.	Wait until the minimum duration elapses. No action required.
Need More Data	Fewer than 100 messages processed at this stage.	Continue sending mail. The wizard will update metrics nightly.
Investigation Needed	Pass rate is below threshold. Authentication issues detected.	Review DMARC reports to identify failing sources. Fix SPF and DKIM alignment before advancing.
Full Enforcement Active	You have reached the final stage (reject @ 100%).	No further advancement. Continue monitoring DMARC reports.

Advancing to the next stage

When the recommendation is "Ready to Advance", an "Advance to [next stage]" button appears in the Recommendation card.
Click the button. A confirmation dialog displays the next stage's policy and percentage.
Click Confirm. The wizard performs the following:
- Records the current stage's metrics (pass rate, message count, duration) into the stage history.
- Updates the progression record to the next stage.
- Updates the DMARC configuration's policy and pct fields.
- Regenerates the DMARC TXT record in DNS with the new policy.
- Resets the stage counters (days at stage, messages, pass rate).
The progress bar updates to highlight the new stage. The Current Status card reflects the new policy.

Reviewing stage history

The Stage History section shows all previously completed stages in reverse chronological order. Each entry displays:

Stage name (e.g., "monitoring", "quarantine_partial").
Policy and percentage (e.g., "quarantine @ 10%").
Pass rate achieved during that stage.
Total messages processed during that stage.
Date range the stage was active.

7. Inputs and Settings

Field	Description	Constraints
Zone	The DNS zone for which DMARC policy progression is managed.	Must be a managed zone with DMARC configuration enabled. Pro or Elite plan required.
Custom Percentage (optional)	Override the default percentage when advancing to a partial stage.	Only available on partial stages (quarantine_partial, reject_partial). Must be between 1 and 100. Defaults to stage default (10%).
Confirm Advance	Confirmation flag required to execute the advancement.	Must be `true` when calling the advance API endpoint.

Stage configuration

Each stage has fixed parameters that cannot be modified:

Stage	Policy	Percentage	Min Days	Pass Rate Threshold
monitoring	none	100%	14	95.0%
quarantine_partial	quarantine	10%	7	98.0%
quarantine_full	quarantine	100%	14	99.0%
reject_partial	reject	10%	7	99.0%
reject_full	reject	100%	0	N/A

8. Outputs and Results

Progression status response

The GET /email-auth/dmarc/wizard/{zone} endpoint returns:

{
  "current_stage": "quarantine_partial",
  "policy": "quarantine",
  "percentage": 10,
  "days_at_current_stage": 9,
  "recommended_min_days": 7,
  "messages_at_stage": 1523,
  "pass_rate_at_stage": 98.7,
  "stage_history": [
    {
      "stage": "monitoring",
      "policy": "none",
      "percentage": 100,
      "entered_at": "2026-01-10T00:00:00Z",
      "exited_at": "2026-01-24T00:00:00Z",
      "pass_rate": 96.2,
      "messages": 3421
    }
  ]
}

Recommendation response

The GET /email-auth/dmarc/wizard/{zone}/recommendation endpoint returns:

{
  "recommendation": "ready_advance",
  "reason": "Pass rate is 98.7%, above the 98.0% threshold. Minimum 7 days elapsed.",
  "next_stage": "quarantine_full",
  "next_config": {
    "policy": "quarantine",
    "percentage": 100
  },
  "ready_to_advance": true,
  "blockers": []
}

When blockers exist:

{
  "recommendation": "investigate",
  "reason": "Pass rate is 92.3%, below the 98.0% threshold.",
  "next_stage": "quarantine_full",
  "next_config": {
    "policy": "quarantine",
    "percentage": 100
  },
  "ready_to_advance": false,
  "blockers": ["low_pass_rate"]
}

Advancement response

The POST /email-auth/dmarc/wizard/{zone}/advance endpoint returns:

{
  "message": "Advanced to quarantine_full",
  "new_stage": "quarantine_full",
  "policy": "quarantine",
  "percentage": 100
}

9. How to Interpret Results

Normal

Pass rate is at or above the threshold for the current stage. The pass rate metric in the Current Status card is displayed in green.
Days at stage increases by 1 each day. Messages and pass rate update nightly at 02:00 UTC.
Recommendation is "Keep Monitoring" if minimum days not met, or "Ready to Advance" once all conditions are satisfied.
After advancing, the new stage appears in the progress bar with updated policy badge. Previous stage is added to stage history.

Unexpected or worth investigating

Pass rate below threshold (red text): Authentication failures are occurring. Review DMARC aggregate reports to identify which sending sources are failing SPF or DKIM alignment. Common causes: third-party senders not configured in SPF, DKIM keys missing or misconfigured, subdomain misalignment.
Message count remains at 0 or very low: No DMARC reports are being received, or your domain is sending very little mail. Verify that RUA addresses are configured correctly and that recipient domains are sending aggregate reports to those addresses.
Recommendation shows "Need More Data" for extended period: Fewer than 100 messages processed. If you are sending mail but message count is not increasing, check that DMARC reports are being delivered and processed by the CertaDNS system.
Days at stage is not incrementing: Metrics are updated once daily at 02:00 UTC. If days at stage does not increase after 24 hours, check that the DKIM rotation cron job is running successfully.

Common interpretation mistakes

Confusing pass rate with delivery rate: Pass rate measures DMARC authentication success (SPF or DKIM alignment), not whether the message was delivered to the inbox. A high pass rate means authentication is working, but does not guarantee inbox placement.
Expecting instant metric updates after sending mail: Metrics are aggregated from DMARC reports, which recipient domains send asynchronously (often daily). Then, CertaDNS processes those reports once per day at 02:00 UTC. Expect a delay of 24-48 hours between sending mail and seeing updated metrics.
Assuming "quarantine" means messages are blocked: The quarantine policy instructs recipient servers to treat failing messages with suspicion (often placing them in spam folders), but does not guarantee rejection. Only reject policy instructs hard failures.

10. Common Issues and Explanations

"DMARC management requires Pro plan or higher" error

The DMARC Policy Wizard is only available on Pro and Elite plans. Upgrade your subscription to access the wizard. Free and Plus users can configure DMARC policies manually via the DMARC Management interface.

"Already at final policy stage" error when trying to advance

You are already at the reject_full stage, which is the final enforcement level. No further advancement is possible. Continue monitoring DMARC reports to ensure pass rates remain high.

Recommendation is "Investigation Needed" but pass rate looks acceptable

The wizard compares your current pass rate to the threshold for the stage you are trying to enter, not the stage you are currently in. For example, advancing from quarantine_partial (98.0% threshold) to quarantine_full (99.0% threshold) requires a pass rate of at least 99.0%. A pass rate of 98.5% would trigger "Investigation Needed" even though it exceeds the previous stage's threshold.

Pass rate dropped after advancing to a new stage

When you advance, the stage counters reset and begin aggregating fresh data. The pass rate displayed is calculated only from messages sent after the advancement. If you advanced recently and have low message volume, the pass rate may fluctuate significantly. Wait for at least 100 messages to accumulate before interpreting the new pass rate.

"DMARC progression not found" error

No progression record exists for the selected zone. This typically occurs if the zone was created before the wizard was enabled. Loading the wizard UI for the zone will automatically create a progression record starting at the monitoring stage. Refresh the page after the first load.

"DMARC configuration not found for this zone" error

The selected zone does not have DMARC enabled. Navigate to the DMARC Management tab and create a DMARC configuration for the zone before using the wizard.

Metrics not updating after 24 hours

Verify that the DKIM rotation cron job is running successfully. This job updates wizard metrics at 02:00 UTC daily. If the cron job failed, metrics will not update until the next successful run. Check system logs for cron execution errors.

Advance button does not appear even though recommendation is "Ready to Advance"

Verify that the API response shows ready_to_advance: true. If the button is missing but the API confirms readiness, clear your browser cache and reload the page. If the issue persists, the UI state may be out of sync with the backend.

11. Limits and Constraints

Constraint	Value
Plan requirement	Pro or Elite only
Minimum messages per stage	100
Monitoring stage min duration	14 days
Quarantine partial min duration	7 days
Quarantine full min duration	14 days
Reject partial min duration	7 days
Reject full min duration	0 days (final stage)
Monitoring pass rate threshold	95.0%
Quarantine partial pass rate threshold	98.0%
Quarantine full pass rate threshold	99.0%
Reject partial pass rate threshold	99.0%
Metrics update frequency	Once daily at 02:00 UTC
Report aggregation window	Last 7 days
Custom percentage range (partial stages)	1-100%

Stage progression is one-way. You cannot revert to a previous stage through the wizard UI. To reduce enforcement, manually edit the DMARC configuration.
Advancement requires explicit user action. The wizard does not automatically advance stages even if all conditions are met (unless auto_advance is enabled, which is not exposed in the current UI).
Stage history is stored as JSONB and has no defined size limit, but is expected to contain at most 5 entries (one per stage).
Pass rate thresholds are fixed per stage and cannot be customized.

12. Related Features

DMARC Reporting — View aggregate and forensic DMARC reports. The wizard uses aggregate report data to calculate pass rates.
SPF Flattening — Optimize SPF records to stay within DNS lookup limits. Improving SPF pass rates helps wizard progression.
DKIM Key Management — Generate and rotate DKIM keys. Properly configured DKIM improves pass rates and accelerates wizard advancement.
Managed DNS Zones — Import and manage DNS zones. DMARC records managed by the wizard are published on these zones.
DMARC Management — Manually configure DMARC policies, RUA/RUF addresses, and alignment modes. The wizard automates policy advancement but uses the same underlying DMARC configuration.

13. Updates and Behavior Changes

The DMARC Policy Wizard was introduced as a Pro and Elite feature to reduce the risk of premature reject policy deployment.
Metrics calculation was updated to aggregate the last 7 days of DMARC reports instead of all-time reports, providing more recent pass rate visibility.
Custom percentage input for partial stages was added to allow users to advance at non-default percentages when needed.