Migrating from PowerDMARC to Red Sift OnDMARC: A step-by-step guide

This guide outlines how to migrate from PowerDMARC to Red Sift OnDMARC in a controlled, low-risk sequence that preserves mail flow and protection. Follow the steps in order, validate each change before proceeding, and maintain a rollback path until post-cutover monitoring is clean.

Who this guide is for:

• Administrators with DNS access and current PowerDMARC/OnDMARC credentials
• Security and mail ops teams responsible for policy enforcement and monitoring

Required items:

• Current access to your PowerDMARC account
• DNS management access for your domains

Optional items:

• Recent DMARC aggregate reports from PowerDMARC
• Documentation of your current SPF, DKIM, MTA-STS and BIMI configurations
• List of all authorized email sending sources

Skill Level: Intermediate (requires DNS management knowledge and familiarity with email authentication protocols)

Before modifying any DNS records, obtain a complete picture of your current DMARC and MTA-STS implementation and all associated components.

1. Log into PowerDMARC and export of all your domains
2. Document your current configuration

• (Optional) Export your aggregate reports from the last 30 days for all domains. You can later forward these reports to your new OnDMARC RUx addresses for a historical view.
• If using PowerSPF (Hosted SPF), document all SPF mechanisms currently part of your SPF records.
• If using PowerDKIM, document all DKIM records (selectors, types and values) currently part of your DKIM configuration in PowerDMARC. 
• If using PowerMTA-STS for your domains, make sure that all your domains are set to testing mode prior to the migration.
• If using PowerBIMI (Hosted BIMI), download your certificate and have it ready for migrating to Dynamic BIMI.

(Optional) Note down all authorized senders by reviewing your DMARC aggregate reports:

Organizations frequently discover "forgotten senders" during migration. Domain administrators must precisely set up authentication parameters to avoid loss of legitimate emails, as misconfigured anti-spoofing mechanisms can inadvertently reject valid messages. Taking time now to identify all senders prevents deliverability issues later.

You should have a comprehensive spreadsheet listing:

• Every domain protected by PowerDMARC
• All authorized senders per domain
• Export of all PowerDMARC delegated and non-delegated DNS records for SPF, DKIM, DMARC, MTA-STS and BIMI.

Create your Red Sift OnDMARC environment and prepare it to receive DMARC data without disrupting your existing protection.

Sign up for Red Sift OnDMARC

• Start with the 14-day free trial to evaluate the platform
• Complete the onboarding wizard by adding your first domain
• The system will guide you to the 'My Domains' dashboard automatically

Bulk upload all your domains to OnDMARC

• OnDMARC will immediately scan your existing DNS configuration
• Review the protocol status overview (DMARC, SPF, MTA-STS, BIMI)

Choose your setup method

• Dynamic Services (Recommended): Allows you to manage all email authentication records from within OnDMARC without touching DNS after initial setup
• Manual Configuration: Gives you direct control if you prefer managing records at the DNS level

OnDMARC's Dynamic Services feature addresses significant limitations of PowerDMARC's approach. Unlike PowerSPF's macro-based solution, Dynamic SPF uses a single dynamic include that works across modern email infrastructure without macros. SPF macros, while defined in RFC 7208 [1], can experience implementation variability across different mail transfer agents, creating potential compatibility concerns. Dynamic SPF eliminates these risks by using a straightforward approach that is universally compatible.

• All your domains appear in the Red Sift dashboard
• Current authentication status is visible for each domain
• Existing DMARC policies are displayed correctly

During this critical phase, both PowerDMARC and OnDMARC receive DMARC reports simultaneously, ensuring zero data loss during transition.

1. Enable Dynamic Services for each domain. Once enabled, Dynamic Services will automatically set the DMARC settings to match your existing configuration and add the OnDMARC RUx (rua and ruf) addresses automatically to your configuration. 
2. Replace your existing DMARC record in your DNS with the Dynamic DMARC record, found in the DMARC tab. 
3. Verify that the Dynamic DMARC record has been detected by OnDMARC

Discover your OnDMARC reporting addresses

• In OnDMARC, navigate to the Settings > Domains page
• Locate the unique RUA (aggregate) and RUF (forensic) email addresses
• Copy these addresses exactly as shown

Update your DMARC records to include both providers:

• Access your DNS management console
• Locate your current DMARC TXT record (format: _dmarc.yourdomain.com)
• Modify the RUA tag to include both PowerDMARC and Red Sift addresses
• Example format: rua=mailto:powerdmarc@address.com,mailto:redsift@address.com
• Critical: Do NOT change your enforcement policy (p= tag) during this step

Verify the DNS propagation:

• Allow sufficient time for DNS changes to propagate globally
• Confirm both reporting addresses appear correctly in the published record

Monitor both platforms:

• Check that both PowerDMARC and OnDMARC begin receiving reports
• Compare data between platforms to ensure consistency
• Continue this dual reporting period to ensure adequate data collection

This dual reporting period serves as a safety net. Best practices recommend keeping both providers active to ensure OnDMARC has accumulated enough data to provide complete visibility into your email ecosystem.

• Both platforms receive DMARC reports
• Sender information matches across PowerDMARC and OnDMARC

If Red Sift’s OnDMARC isn't receiving reports, check:

• Each email address in the RUA tag is preceded by mailto:
• Addresses are separated by commas without spaces
• No typos in the OnDMARC reporting addresses
• DNS changes have fully propagated (can take up to 48 hours)

Once you've verified that OnDMARC is receiving complete data, remove PowerDMARC from your DMARC configuration and make OnDMARC your primary DMARC provider.

If using Dynamic Services

1. Go to Dynamic Services > DMARC tab, remove the PowerDMARC rua and ruf addresses from the configuration and Save.

If manually managing your DMARC record

1. Update your DMARC records to contain OnDMARC only:

• Access your DNS management console again
• Modify your DMARC TXT record to include only OnDMARC's reporting addresses
• Remove the PowerDMARC RUA and RUF addresses 
• Example: v=DMARC1; p=quarantine; pct=100; rua=mailto:xxxxxx@inbox.ondmarc.com; ruf=mailto:xxxxxx@inbox.ondmarc.com;

Critical: Maintain only ONE DMARC record per domain. Having multiple DMARC records causes receivers to stop DMARC discovery and processing, which can lead to successful spoofing. 

• For Dynamic SPF: Replace your existing SPF record with Red Sift's smart TXT record. Critical: make sure that Dynamic SPF is prepped with all necessary values in advance. 
• For Dynamic DKIM: Set up NS delegation as guided in the OnDMARC interface. Critical: make sure that Dynamic DKIM is prepped with all necessary values in advance. 
• For Dynamic MTA-STS: Before you start, you should have changed your policy to testing mode in PowerDMARC. Ask the PowerDMARC team to disable and delete your MTA-STS distribution. Only then generate the required records in OnDMARC and publish in the DNS.
• For BIMI: Download your .pem certificate from PowerDMARC, and upload to Dynamic BIMI.

This eliminates the need for future DNS access when managing email authentication. Moving forward, you will be able to add all your authorized sending services directly to the OnDMARC interface.

Verify the changes:

• Allow sufficient time for DNS propagation and verify changes are reflected in Dynamic Services.
• Check authentication results using Investigate's real-time testing

The Red Sift Investigate tool provides a significant advantage by bypassing the typical DMARC report delay (which can be 24-48 hours), enabling real-time configuration testing and validation. This capability accelerates troubleshooting and policy deployment, allowing organizations to verify authentication changes immediately rather than waiting for the next DMARC reporting cycle.

• All protocols show correct delegation to Dynamic Services
• All test emails from legitimate sources pass DMARC authentication
• OnDMARC dashboard continues showing consistent email volumes
• No interruption in email delivery or authentication

If legitimate emails start failing authentication after the cutover:

• Use Investigate immediately to identify the specific failure point
• Check whether the issue is SPF or DKIM related
• Review if any sending services were missed in the pre-migration audit
• Verify all authorized senders are added to OnDMARC's Dynamic Services

With migration complete, optimize your configuration and leverage features that PowerDMARC doesn't offer or requires premium tiers to access.

Configure DNS Guardian (Premier tier feature, unique to Red Sift)

• Enable DNS configuration monitoring in your OnDMARC settings
• DNS Guardian will actively scan for misconfigurations, dangling DNS records, and subdomain takeover attempts
• This protects against threats that bypass traditional DMARC, including sophisticated Business Email Compromise (BEC) attacks

Leverage Red Sift Radar (AI-powered assistant)Red Sift Radar (AI-powered assistant)

• Access Radar directly within the OnDMARC interface
• Use it to identify misconfigurations across your email authentication stack
• Get instant answers to configuration questions without leaving the platform
• Radar provides rapid domain security posture assessment compared to manual analysis

Set up proactive notifications

• Configure Compliance Reports (daily or weekly summaries of email status)
• Enable Configuration Alerts for reputation issues or configuration drops
• Set up Action Reminders to track outstanding tasks
• Set up DNS change alerts
• Send alerts to email or Slack channels for your security team

Implement BIMI (if at enforcement policy)

• If you're at p=quarantine or p=reject, leverage Red Sift OnDMARC's integrated BIMI with VMC provisioning
• OnDMARC offers direct integration with DigiCert via API
• Enterprise tier includes a free VMC license

Plan your enforcement roadmap

• If you're not yet at p=reject, use Red Sift's guidance to safely increase enforcement
• The Red Sift Customer Success team can help you achieve full enforcement efficiently

• Proactive monitoring is active (DNS Guardian enabled)
• Regular compliance reports are being received
• Team can instantly troubleshoot issues with Investigate and Radar
• All advanced features are configured according to your needs

• Why it happens: Organizations sometimes add a new DMARC record while leaving the old one in place, thinking both will work.
• How to avoid: Always verify you have exactly one DMARC record per domain. Multiple records cause mail receivers to ignore all DMARC policies entirely, leaving you unprotected.
• If it happens: Immediately remove all but one DMARC record. Allow time for propagation, then verify with Investigate.

• Why it happens: Teams want to improve security posture while migrating and consider it a good time to tighten policies.
• How to avoid: Migration and enforcement changes should be separate initiatives. Complete the provider migration first, validate everything works, then gradually increase enforcement.
• If it happens: Revert to your previous policy level immediately, allow time for propagation, then investigate any authentication failures before attempting policy changes again.

• Why it happens: Teams rush the migration to save costs by canceling the old provider quickly.
• How to avoid: Maintain dual reporting for an adequate period to ensure the new provider captures all your sending patterns, including monthly reports or periodic campaigns.
• If it happens: If you discover missing senders after cutover, you can temporarily revert to dual reporting or use Red Sift's Investigate tool to test and validate additional sources in real-time.

• Why it happens: Organizations focus only on obvious senders like marketing platforms, missing calendar systems, notification services, and third-party tools.
• How to avoid: Review sufficient aggregate reports before migration to identify all sending services. Understanding the differences between SPF, DKIM, and DMARC helps identify which authentication methods each sender supports.
• If it happens: OnDMARC’s Email Sources inventory will automatically discover missing senders. Use Investigate to validate them quickly.

Migrating from PowerDMARC to Red Sift OnDMARC addresses critical limitations in macro-based SPF management while providing access to advanced capabilities like continuous DNS configuration monitoring with DNS Guardian, AI-powered troubleshooting with Radar, and streamlined BIMI implementation. 

The dual reporting period serves as the critical safety mechanism during migration, ensuring complete visibility into email sources before making the final cutover. Combined with Red Sift's real-time testing capabilities through the Investigate tool, organizations can validate configurations immediately rather than waiting for DMARC report cycles.

Post-migration advantages extend beyond basic DMARC functionality. Dynamic Services eliminate ongoing DNS management requirements, DNS Guardian detects threats that bypass traditional authentication, and dedicated Customer Success Engineering support accelerates the path to p=reject enforcement.

Start your 14-day free trial of Red Sift OnDMARC or run a free DMARC check to assess your current configuration.

[1] Kitterman, S. "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1." RFC 7208, Internet Engineering Task Force (IETF), April 2014. https://datatracker.ietf.org/doc/html/rfc7208