Changelog
New SSO setup guide for Google Workspace
SAML SSO is now fully compatible with Google Workspace after our testing, and we now provide a dedicated guide to set it up.
Although our SSO implementation theoretically works with any generic SAML implementation, each Identity Provider has their own peculiarities and we want to ensure the most commonly used ones are properly tested by us.
Read the Google Workspace SSO setup guide for more information, including how to set up access control and application roles.
Improved support for SSO roles and access control
We’ve made some improvements to the SAML SSO implementation to allow passing roles through SAML attributes and enforcing the presence of a valid role.
Previously, passing application roles from the Identity Provider to DMARCwise was only possible/documented when using Microsoft Entra ID.
Now it’s possible to use the custom SAML response attribute named urn:dmarwise:role
to pass a role. DMARCwise will automatically assign and synchronize the role when the user logs in to DMARCwise with SSO.
In addition to this, it’s now possible to require the presence of a valid role attribute for every login. This is useful when using Identity Providers that don’t have an easy way to restrict who can use applications out of the box (e.g. Keycloak): users without a valid role attribute won’t be able to log in to DMARCwise when the option is enabled.
To learn more about roles and access control, read the updated SSO documentation page.
You can also refer to the updated Keycloak setup guide.
You can now choose the statistics period in the domains dashboard
After a request from one of our customers, we’ve added a way to choose the period for which the statistics in the domains list refer to.
You can now choose between:
- Last 7 days (default)
- Last 28 days
Reflecting the period for which statistics such as the total number of reported emails, the DMARC pass percentage, etc. are calculated on.
EU infrastructure migration (part 2) completed 🇪🇺
This weekend, we have completed the second step towards a full migration of the core components of DMARCwise infrastructure to European cloud providers.
The main website dmarcwise.io
is now hosted in a European Union country with a fully European cloud provider.
In the coming months we’ll be continuing this process and move other parts of the infrastructure to the EU, where possible. We expect that this will be especially appreciated by our European customers that take great consideration of data location and data privacy topics.
Improved support for Keycloak SSO
For customers using Keycloak as an SSO identity provider, we have just improved our SAML implementation with the aim of simplifying the setup process.
You’ll now find a setup guide specific for Keycloak in the documentation.
Plus, DMARCwise now supports the standard Keycloak attributes for the email address, first name and last name, so you can simply check them in the Keycloak client configuration without the need of manually entering the required claims.
EU infrastructure migration (part 1) completed 🇪🇺
This weekend, we have completed the first step towards a full migration of the core components of DMARCwise infrastructure to European cloud providers.
Our main database with all customer data is now hosted in a European Union country with a fully European cloud provider.
At the same time, we have reworked most of our infrastructure architecture to make it more reliable, resilient, faster and secure than before.
In the coming weeks and months we’ll be continuing this process and move the remaining parts of the infrastructure to the EU, where possible. We expect that this will be especially appreciated by our European customers that take great consideration of data location and data privacy topics.
New option to use semicolon separators in CSV export
When exporting domains to a CSV file, you can now optionally choose to use semicolons (;
) instead of commas (,
) as separators.
This can be useful when importing the CSV file in Microsoft Excel, which often expects semicolons by default in some countries.
Learn more in the export documentation.
Customize the domains list with the new Focus feature
We have added a new view option to configure which data columns are shown in the domain list/grid.
You can now choose to focus on Status and see at a glance the configuration status for both DMARC and TLSRPT for all domains.
The default focus remains DMARC.
The Focus feature will be improved to include more choices in the future. It will also be persisted, so that when you refresh the page or access from another device you don’t lose the state.
New MSP clients management user interface
The MSP clients management page has been redesigned to be more compact and provide more information at a glance.
You can still view the details for a client as before by clicking on a row.
The page now also allows for filtering the list of clients by name.
MSPs can now grant write permissions to clients
Customers on the MSP plan using the clients feature can now choose whether to grant write permissions to invited users.
When you allow write access, additional permissions will be granted to the user on the domains they have access to. Learn more in the documentation page.
Customers can now change the subscription plan from the dashboard
It is now possible to switch between subscription plans without contacting support. Specifically, these changes are now possible from the billing settings:
- Downgrading from the trial plan to the free plan.
- Downgrading from a canceled subscription to the free plan.
- Upgrading/downgrading between paid subscription plans (Starter, Growth, Scale).
- Change the billing interval between monthly and yearly for paid plans (Starter, Growth, Scale).
The plan change preview dialog will alert you if you need to reduce your usage before downgrading to a plan with lower limits or less features.
Customers on the MSP plan or on other custom plans are not affected by this change.
Okta SSO can now be configured from the Okta official Integration Network app catalog
Customers that use Okta as an Identity Provider can now simplify the SSO setup by using the official app published in the Okta Integration Network catalog.
To learn more on how to set up SSO with Okta, consult our documentation.
New claim for user ID in SAML SSO
We now support the custom userId
claim for situations where you can’t configure the NameID
claim to contain a persistent identifier like a user ID.
When using SSO with SAML, it’s important to make sure that the NameID
claims contains a persistent identifier such as a user ID or employee ID, and not an email address. This is because the email address may change with time and a NameID
change would make it impossible to match the user in DMARCwise upon login.
If you’re unable to change the configuration of the NameID
claim, you can now create a custom claim with type userId
: if the NameID
format is not declared as persistent and the userId
is present, the userId
will be used in place of the NameID
.
Learn more in the SSO documentation.
Duplicate reports are now discarded
Starting 1 August 2025, duplicate DMARC and TLSRPT reports are automatically detected and discarded.
Some email service providers like Google are in fact known to sometimes deliver several copies of the same report, leading to incorrect statistics.
A report is now detected as duplicate if an identical report was received from the same sender in the previous 24 hours.
Although the DMARC specification suggests the use of the Report-ID
for deduplication, some email providers tend to reuse the same IDs over short periods of time, therefore we’ve opted for a stricter algorithm.
Email address update now possible from the dashboard
Users can now change the email address associated with their account from the account settings.
Changing the email address requires following the confirmation link received via email. After confirmation, all the login sessions will be terminated and the old email address will receive an email alert.
Follow this changelog with the RSS feed
We have published an RSS 2.0 feed for the DMARCwise product changelog. You can access it at this URL:
Introducing hosted DMARC
Today, we’re launching a new feature called hosted DMARC.
With hosted DMARC, you can delegate the management of the DMARC DNS record to DMARCwise with a CNAME
(alias) record.
You’ll then be able to manage the DMARC configuration from the dashboard, without going through your DNS provider for every change.
You can learn more about hosted DMARC and how to set it up for existing or new domains in our new documentation pages:
Improved validation of DMARC failure options
We have improved the validation of the fo
tag in DMARC records. The fo
tag stands for failure options and allows a domain owner to decide in which cases a failure report should be generated.
There are strict rules around the formatting and accepted values of the fo
tag, and we have noticed that users often get it wrong.
For example, the following tag is valid:
fo=0:d:s
While these ones are not:
fo=0:1
fo=0:0
(0
and 1
are mutually exclusive and there can be no duplicates.)
DMARCwise’s DMARC record validator now catches this issue and shows an error about it in the dashboard.
Existing records were re-scanned and so you may see new issues being reported in the dashboard.
Keep in mind that the fo
tag must be used only when the ruf
tag is also specified. DMARCwise doesn’t currently support the processing of failure reports, but you can specify an email address of yours in the ruf
tag to receive these (rare) reports.
Introducing DMARC record validation
Your domains’ DMARC records are now analyzed to identify syntax issues that could prevent parsers from using DMARC correctly.
When a syntax error or potential issue is detected, you’ll find the details in the DMARC overview page. A check warning or error will also be triggered.
We currently validate the record to make sure that:
No leading whitespace is present.
Policy tag (
p
) is present.Policy tag (
p
) is the second tag in the record.All tag names are valid.
All tag values are correctly formatted.
No duplicate tags are present.
No misplaced
mailto:
destinations are detected.
We currently don’t detect the following issues:
- Strict
fo
value compliance. - Missing
ruf
whenfo
is present. rua
andruf
URIs correctness.- A record not starting with
v=DMARC1
(leading whitespace is ignored) will be discarded and not shown at all.
The validation will be improved in future updates.
Learn more in the documentation.
Default tag values are now shown in DMARC record tables
The DMARC record summary table now shows default values when a tag is not set.
For example, if you don’t specify the sp
tag (subdomain policy) in your DMARC record, the UI will show that the value of p
is being used as per RFC 7489.
Improved domains grouping
You can now group domains by domains group, DMARC setup status or DMARC policy, making it easier to identify which domains require action.
Domains import and export are now available
You can now bulk import and export domains from/to a CSV file to ease the management of a large number of domains.
Learn more in the documentation about importing domains and exporting domains.
Improved design of the UI for several tables and pages
We’ve just improved the design of several tables and pages in the web app.
Take a look at the before and after in the video above.
Visit the changelog archive for earlier changes.