Alerts.

Reports are great, but you don't want to live in a dashboard. Alerts email you the moment something worth knowing happens: six triggers, each answering a different question.

The six triggers

• Failure spike. A sudden jump in DMARC failures, usually a new spoofing campaign, or a legitimate sender that just broke. The "wake me up" trigger.
• New source IP. A sender you've never seen before started mailing as your domain. Could be a new tool your team stood up, or someone new spoofing you, either way, worth a glance.
• Policy is none. A standing nudge that your domain is still at p=none, collecting reports but not yet protected. Handy as a reminder to keep climbing.
• DKIM failure. Mail from your domain is failing DKIM: a signing key that expired, rotated, or was never set up on a sender.
• SPF failure. Mail is failing SPF, often a sender that's not on your published list, or forwarding breaking the path.
• Failure report received. A failure (RUF) report arrived: a real-time sample of a single message that failed, when a receiver chooses to send one.

How alerts work

• Each alert has a destination email and an on/off switch. Point different triggers at different people if you like.
• dmarcula checks your incoming data regularly and emails you when a trigger fires.
• Every alert that fires is logged to a firing history, so you can audit exactly what fired, when, and why.
• If an alert email hard-bounces or gets marked as spam, dmarcula notices and backs off, so a bad address can't quietly hurt your sending reputation.

Create and manage them under Settings → Alerts.

Which to start with

If you only set up two, make them failure spike and new source IP: together they cover "something just changed." Add policy is none while you're still working your way up to enforcement, as a gentle reminder you're not done yet.

What's next

• Investigating sources: when "new source IP" fires, this is where you dig in.
• The enforcement journey: clear "policy is none" for good.