Docs / Quick start

Quick start

Get UglyDMARC set up and sending DMARC reports in 5 minutes. The happy path from sign-up to SPF enforcement.

This guide walks you through the end-to-end setup: creating an account, adding your domain, verifying ownership, publishing the SPF include, and configuring DMARC reports. For deeper detail on each step, see the linked guides.

  1. Create an account or sign in

    Visit admin.uglydmarc.com and sign up with your email, or sign in if you already have an account. You can also sign in with Google or Microsoft 365.

  2. Add your domain

    In the dashboard, click + Add Domain and enter the domain you want to monitor and protect. For example, mail.example.com. See Add & verify a domain for detailed steps, including how to add subdomains.

  3. Verify domain ownership

    UglyDMARC will generate a DNS TXT verification token. Add it to your domain's DNS records. Once DNS propagates (usually 15 minutes), click Verify in the console. UglyDMARC will check the record and confirm you own the domain. See Add & verify a domain for troubleshooting.

  4. Publish the SPF include

    In your domain's DNS, add this SPF include to your v=spf1 record:

    include:%{ir}.%{v}.%{d}.spf.uglydmarc.com

    If you don't have an SPF record yet, replace your existing SPF with:

    v=spf1 include:%{ir}.%{v}.%{d}.spf.uglydmarc.com -all

    Important: One SPF record per domain; never duplicate. If you already have an SPF, merge the UglyDMARC include into it. See Publish your SPF record for step-by-step and troubleshooting.

  5. Publish your DMARC RUA record

    Create (or update) a _dmarc TXT record on your domain with:

    v=DMARC1; p=none; rua=mailto:rua@reports.uglydmarc.com

    This tells receiving mail servers to send aggregate reports to UglyDMARC. Replace p=none with p=quarantine or p=reject once you've verified all your legitimate senders are passing SPF/DKIM alignment (see step 6).

  6. Watch reports roll in

    DMARC reports arrive once a day (usually 4–6 PM UTC). Within 24 hours, you'll see a dashboard showing:

    • Pass/fail rates (overall SPF/DKIM alignment)
    • Source IPs and identified ESPs
    • Failed senders (invalid SPF/DKIM)

    See Reading DMARC reports to interpret the data.

  7. Tune your policy toward p=reject

    Use the reports to identify all legitimate senders on your domain. Add any missing ones to your SPF (e.g., new vendors). Once all senders are passing SPF/DKIM, safely move from p=nonep=quarantinep=reject. This protects your domain from impersonation. See Reading DMARC reports for guidance on interpreting failures.

Tip

DNS changes can take up to 15 minutes to propagate. If verification fails, wait a bit longer and try again. You can also check your DNS manually using dig or nslookup.