Domain security operations platform

Stop email impersonation — with proof it's working

Know who sends as your domain, simulate enforcement before you commit, detect threats in real time, and prove compliance across every domain you manage.

Start Free Trial Talk to Sales →

Free domain check — no account needed

Business email compromise is the #1 social engineering threat. Google and Yahoo now require DMARC for bulk senders.

Enforcement Workflow

acme.com

Discover & classify senders

142 senders found — 12 unauthorized flagged for review

Simulate enforcement impact

2.1% mail affected — zero legitimate senders blocked

Approve change & deploy

Approved by j.chen — rollback armed

Observe results (day 5 of 14)

99.1% pass rate — no regressions — 1 sender anomaly flagged

Advance to full enforcement

Ready in ~9 days based on current trajectory

IP reputation clean

No phishing certs

1 sender changed

Simulate before DNS changes·Approval-gated actions·Observation windows·RCA workflows·MSSP-ready·16 free tools

Most teams do not fail at visibility. They stall at safe enforcement.

DMARC dashboards can tell you what is broken. That is not the hard part. The hard part is deciding what to change, proving it is safe, and carrying it through production DNS without disrupting legitimate mail. SpoofSentry closes that gap with governed workflows for sender discovery, failure root cause analysis, staged policy progression, and approval-gated change execution.

Simulate before you enforce

See which senders pass, fail, or need remediation before you tighten policy. Replay recent aggregate report data against quarantine or reject to understand the blast radius.

Approve before DNS changes

Keep humans in control with review points for sender authorization and enforcement changes. Every high-impact action is gated, scoped, and auditable.

Observe after every step

Use fixed observation windows, structured outcomes, and rollback-aware execution to move toward enforcement safely. Prove progress to leadership with before/after enforcement proof.

Signature capability

One score for your entire domain posture

Most tools tell you whether you have a DMARC record. SpoofSentry tells you whether your domain is actually protected. The Domain Security Score is a 100-point composite across ten dimensions — not just authentication, but transport encryption (MTA-STS, TLS-RPT, DANE), DNS trust, and hidden takeover risk.

Ten dimensions: DMARC policy, SPF alignment, DKIM alignment, sender coverage, MTA-STS, TLS-RPT, BIMI readiness, lookalike threat exposure, managed SPF/DKIM, DANE
Letter grades A through F with historical trend tracking
Anonymized industry benchmarks — see where you rank
Free preview score at /tools — no account needed

Learn more about the Domain Security Score →

Domain Posture OverviewLast 30 days

DMARC

SPF

DKIM

Senders

MTA-STS

TLS-RPT

100

BIMI

Lookalike

DANE

DNS Risk

Composite Score74/100

Bottom 30% for your sector · 3 issues to address

More than DMARC monitoring

Every layer of domain security — in one platform

DMARC is the foundation. SpoofSentry builds the entire security stack on top — from transport encryption to brand protection to automated threat response.

🤖

Sender Authorization Intelligence

AI-powered ESP detection across 26+ providers. Behavioral profiling with hourly cadence fingerprinting, volume anomaly detection, and authentication degradation alerts. Full governance lifecycle from discovery to retirement.

🛡️

Takedown Orchestration

Detect lookalike domains via typosquat, homoglyph, and TLD variant scanning. Automated evidence collection and multi-channel abuse dispatch to Google Web Risk, Netcraft, URLhaus, and registrars — with case tracking and escalation.

🔬

Root Cause Analysis

When failure rates spike, correlate auth failures, sender patterns, DNS changes, IP reputation signals, and provider data to rank probable causes. Structured RCA with deterministic classification — not guesswork.

🔍

Dangling DNS & Subdomain Takeover

Continuous scanning for CNAME takeover risks, orphaned records, and SubdoMailing indicators across your entire portfolio. Provider-aware risk scoring for Heroku, S3, Azure, CloudFront, GitHub Pages, and more.

🔏

Transport Security (MTA-STS, DANE, TLS-RPT)

Real DNS monitoring for MTA-STS, TLS-RPT, DNSSEC chain validity, and DANE/TLSA records. Not just configuration — live verification against public DNS every 24 hours.

🚨

7-Signal Threat Intelligence

Volume spikes, auth degradation, geo anomalies, spoofing campaigns, DNS changes, sender behavior shifts, and lookalike activity. IP enrichment from AbuseIPDB, Spamhaus ZEN, and Google Safe Browsing. CT log monitoring every 6 hours.

📊

Enforcement Proof & Observation

Simulate policy impact before DNS changes. Approval-gated execution with observation windows and armed rollback. TTD, TTR, TTE metrics and executive-ready compliance reports.

✨

BIMI & VMC

End-to-end BIMI readiness assessment, logo validation, VMC lifecycle tracking, and DNS deployment. Display your brand logo in Gmail, Apple Mail, and Yahoo.

🏢

MSSP Multi-Tenancy

White-label portal, pooled billing, customer impersonation, portfolio analytics, cross-tenant remediation queue, and PSA integration (ConnectWise, Autotask, HaloPSA, ServiceNow).

Learn more →

🔒

11 Compliance Frameworks

Automated evidence bundles and control mappings for SOC 2, ISO 27001, NIST CSF, PCI-DSS v4.0, HIPAA, NIS2, CISA BOD 18-01, NCSC CAF, ASD Essential Eight, SMB1001, and FedRAMP.

📡

STIX/TAXII 2.1 Threat Feed

Export threat indicators, sightings, and campaigns to Splunk, Sentinel, Elastic, or any TAXII 2.1-compatible SIEM. Four collections, standards-compliant.

🔗

25+ Integrations & Open API

Slack, Teams, Splunk, Datadog, Elastic, Sentinel, ConnectWise, Autotask, HaloPSA, ServiceNow, Okta. RESTful API with 700+ endpoints, outbound webhooks with HMAC signing.

Governed enforcement workflow

Move to enforcement with a governed workflow

From p=none to p=reject is the highest-risk step in DMARC operations. SpoofSentry turns it into a controlled process built around simulation, approval, and observation.

Simulate

Replay recent DMARC activity against tighter policy settings and see exactly which senders would break, pass, or require remediation.

→

Approve

Review sender authorization recommendations and policy changes before DNS is touched. Every high-impact action is gated, scoped, and auditable.

→

Observe

After each change, monitor failure patterns, sender behavior, and stability before recommending the next phase. Safer progression from monitor to quarantine to reject.

How guided enforcement works →Quarantine vs reject guide →

Who it's for

The right depth for every team

Security Teams

Managed SPF with automated refresh, RFC-aware validation, drift detection, and safe optimization
Continuous posture monitoring across SPF, DKIM, DMARC, DNSSEC, DANE, MTA-STS
Dangling DNS and subdomain takeover detection
Enforcement simulation before any DNS change
SIEM integration (Splunk, Sentinel, Elastic, Datadog)

IT Leadership

100-point Domain Security Score with letter grades
AI executive summaries in plain English
Compliance reports across 11 frameworks
Weekly PDF digests and trend dashboards

MSSPs & MSPs

Multi-tenant portal with strict data isolation
White-label branding — custom domain, logo, reports
PSA/RMM integration: ConnectWise, Autotask, HaloPSA
Portfolio dashboard with per-client enforcement tracking

Multi-Domain Organisations

Portfolio-level posture visibility across all domains
Bulk enforcement operations with safety gates
Branded reporting for boards and auditors
Enterprise SSO (OIDC / SAML) and documented support commitments

MSSP solution →MSP solution →Multi-domain orgs →

Free tools

Start with a free check — no account needed

All 16 tools

DMARC Checker

Validate your DMARC record and policy configuration

SPF Checker

RFC-aware SPF validation: lookup limits, void lookups, circular refs, and more

DKIM Checker

Verify DKIM selectors, key strength, and alignment

Domain Security Score

Get a posture score across 9 security dimensions

Dangling DNS Scanner

Detect subdomain takeover risk from stale records

ROI Calculator

Estimate the cost of inaction on email authentication

All 16 tools

Beyond email authentication

Find what attackers find — before they do

Domains accumulate DNS records over time. When the service behind a record is decommissioned but the record remains, attackers can claim the abandoned resource and send email from your subdomain. SpoofSentry detects dangling DNS and monitors DNSSEC chain validation and DANE TLSA records across authoritative and validating paths — the hidden risk layer most DMARC tools ignore entirely.

Dangling DNS detection — CNAME, MX, and SPF include scanning
DANE/DNSSEC monitoring — TLSA records + chain validation across authoritative and validating paths
Deliverability intelligence — Google Postmaster + Microsoft SNDS

Learn more about DNS risk detection →

DNS Risk Scan

blog.example.comCNAMEDangling

old-app.example.comCNAMEDangling

mail.example.comMXHealthy

_dmarc.example.comTXTHealthy

example.comDNSSECUnsigned

5 records scanned · 2 critical · 1 warning

Pricing

From free visibility to managed enforcement

Start free. Upgrade when you're ready to enforce, automate, and scale.

Save 20%

Monitor

See who's sending email on your domain — no credit card, no commitment.

$0/mo

1 domain
DMARC visibility
Domain Security Score (preview)
7-day data retention
1 team member

Get Started

Popular

Protect

For growing businesses that need reliable monitoring, alerts, and compliance-ready reporting.

$19/mo$24

Billed annually

Up to 5 domains
SPF, DKIM & DMARC monitoring
Full Domain Security Score
Dangling DNS detection
Remediation playbooks
Alerts & branded weekly digest
Mailbox readiness & deliverability investigate
Trends, benchmarks & deliverability
5 AI summaries/mo
30-day history

Start Free Trial

Enforce

For IT and security teams who need enforcement simulation, auto-remediation, and threat intelligence.

$52/mo$65