Frequently Asked Questions
Common questions about SpoofSentry, answered in plain language. If your question is not here, contact us at [email protected].
About these answers
These answers reflect SpoofSentry's capabilities as of April 2026. Features and plan availability may change. For the most current information, see the product capabilities page and pricing page.
Frequently asked questions
What is SpoofSentry?
SpoofSentry is an email authentication and domain security platform built by DomainSeal Labs (Netallion). It monitors DMARC, SPF, DKIM, MTA-STS, DNSSEC, DANE, and BIMI. It detects dangling DNS records that create subdomain takeover risk. It provides guided enforcement workflows to move domains from monitoring (p=none) to full enforcement (p=reject) safely. It is not an inbox email security tool — it does not scan email content, filter spam, or block malware.
What does SpoofSentry NOT do?
SpoofSentry does not provide inbox-level email security. It does not scan email content, filter spam, detect malware in attachments, or sandbox suspicious files. It does not monitor for lookalike or typosquatting domains. It does not provide email archiving or eDiscovery. It focuses exclusively on domain-level authentication posture, DNS security, and enforcement — the sending-side protection layer.
Is SpoofSentry a DMARC monitoring tool?
DMARC monitoring is one of SpoofSentry's capabilities, but it is not a DMARC-only tool. It also covers SPF and DKIM management, MTA-STS and TLS-RPT, DNSSEC and DANE monitoring, dangling DNS detection, enforcement simulation with rollback, compliance reporting across 9 frameworks, third-party vendor risk assessment, and MSSP multi-tenant management.
How is SpoofSentry different from EasyDMARC, PowerDMARC, or Valimail?
SpoofSentry covers a broader protocol surface than most DMARC-focused tools: it includes DNSSEC/DANE monitoring, dangling DNS detection, and a 100-point domain security score that goes beyond DMARC compliance. It also provides enforcement simulation with rollback, MSSP-native multi-tenant architecture with white-label branding, and PSA integrations (ConnectWise, Autotask, HaloPSA) for MSP operations. For detailed comparisons, see the comparison pages at /compare.
Is there a free plan?
Yes. The Monitor plan is free and includes 1 domain, DMARC aggregate report decoding, SPF and DKIM alignment visibility, 7-day data retention, a preview Domain Security Score, and access to 16 free diagnostic tools at /tools. It does not include alerts, remediation playbooks, enforcement simulation, API access, or integrations.
How much does SpoofSentry cost?
Monitor: free (1 domain). Protect: $24/month or $19.20/month billed annually (5 domains). Enforce: $65/month or $52/month billed annually (10 domains). Enterprise: custom pricing (unlimited domains). See /pricing for full plan comparison.
What is included in each plan?
Monitor: basic DMARC visibility and free tools. Protect: full monitoring, dangling DNS detection, manual remediation, alerts, reports, peer benchmarks. Enforce: enforcement center, sender inventory, impact simulation, rollback, auto-remediation, third-party risk, API access, SIEM and ChatOps integrations. Enterprise: unlimited scale, PSA integrations, MSSP multi-tenant, white-label, compliance reports (9 frameworks), SSO, SLA guarantee.
Does SpoofSentry support MSSP multi-tenant management?
Yes, on Enterprise plans. Each customer tenant has strict data isolation. MSSPs get a portfolio dashboard showing enforcement status and domain scores across all customers, branded client reporting, bulk domain operations, and PSA integration for automatic ticket creation.
Can I white-label SpoofSentry for my clients?
Yes, on Enterprise plans. White-label includes custom domain, logo, colors, branded reports, and branded emails. Clients see your brand, not SpoofSentry's.
Which PSA tools does SpoofSentry integrate with?
ConnectWise Manage, Autotask (Datto), and HaloPSA. These integrations create tickets automatically on posture changes and are available on Enterprise plans only.
What enforcement modes does SpoofSentry support?
Four modes: preview (simulation only, no DNS changes), manual (human-triggered changes, available on Protect), semi-automatic (approval-based automation, available on Enforce), and fully automatic (with precondition checks, regression detection, and auto-pause, available on Enterprise).
Can SpoofSentry change my DNS records automatically?
Yes, if you connect a supported DNS provider (Cloudflare, AWS Route 53, Azure DNS, GoDaddy, Google Cloud DNS). Changes can be previewed before applying, verified after applying, and rolled back with one click. Automatic changes require Enforce or Enterprise plan.
What is enforcement simulation?
Enforcement simulation replays your recent DMARC aggregate report data against a proposed policy change (quarantine or reject). It shows which mail streams would pass, fail, or be affected before you change your DNS. This lets you identify gaps and fix them before going live.
What is a Domain Security Score?
A 0-100 composite metric that evaluates your domain across seven dimensions: SPF, DKIM, DMARC, BIMI, MTA-STS, DNSSEC, and dangling DNS. Graded A (90-100) through F (below 60). A free preview (DMARC + SPF only) is available at /tools/domain-security-score.
What is dangling DNS detection?
SpoofSentry checks DNS records for references to resources that no longer exist — deleted cloud buckets, decommissioned apps, expired services. These dangling records can be hijacked by attackers for subdomain takeover, phishing, or email spoofing.
Which compliance frameworks does SpoofSentry support?
Enterprise plans include reports mapped to SOC 2, ISO 27001, HIPAA, PCI DSS 4.0, GDPR, NIST 800-177, NIS2, NCSC CAF (UK), and ASD Essential Eight (Australia). Enforce plans include 6 frameworks.
Does SpoofSentry support DNSSEC and DANE?
Yes. SpoofSentry monitors DNSSEC signing status and chain-of-trust validation, and validates DANE TLSA records. These are included in the Domain Security Score on Protect plans and above.
Which SIEM tools does SpoofSentry integrate with?
Splunk (including HEC), Microsoft Sentinel, Elastic, and Datadog. Events are formatted in CEF and ECS with severity mapping. Available on Enforce and Enterprise plans.
Does SpoofSentry have an API?
Yes. A REST API provides programmatic access to domain scores, DMARC data, enforcement status, simulation results, and tenant management. API access is available on Enforce and Enterprise plans. Documentation is at /api-docs.
Does SpoofSentry integrate with Slack or Microsoft Teams?
Yes. Real-time notifications with severity indicators and action links. Available on Enforce and Enterprise plans.
Who makes SpoofSentry?
SpoofSentry is a DomainSeal Labs product, built and operated by Netallion.
What is SpoofSentry's uptime target?
99.9% uptime target. Enterprise plans include SLA guarantees with defined uptime and response time commitments.
Still have questions?
Contact us at [email protected] or check the product capabilities page for a complete feature reference.