Everything you need to secure your domains
From your first DMARC record to full enforcement across hundreds of domains — SpoofSentry covers monitoring, enforcement, threat response, compliance, and MSSP operations in one platform.
Monitoring & Visibility
Understand your domain security posture before you act.
Domain Security Score →
100-point composite score across 10 dimensions: DMARC policy, SPF alignment, DKIM alignment, sender coverage, MTA-STS, TLS-RPT, BIMI readiness, lookalike threat exposure, managed SPF/DKIM, and DANE. Letter grades A–F with historical trending and industry benchmarks.
DMARC Aggregate Reports
Parse and visualize RUA reports. See pass/fail rates, sender breakdown, geographic distribution, and 30/60/90-day trends.
Forensic Reports
Ingest RUF forensic reports with PII redaction. Classify failures as DKIM, SPF, alignment, or suspected spoofing.
Sender Authorization Intelligence
AI-powered ESP detection across 26+ providers with confidence levels. Behavioral profiling with hourly cadence fingerprinting. Full governance lifecycle: newly observed → under review → authorized → monitored → retired. Bulk governance actions and chain-of-custody audit trail.
TLS-RPT Monitoring
Live DNS checks for _smtp._tls TLS-RPT records. Ingest TLS failure reports via webhook. Track delivery encryption success rates and diagnose transport failures across your domain portfolio.
Industry Benchmarking
Compare your domain score against anonymized industry peers. See your percentile ranking by vertical.
Mailbox Readiness
Per-provider compliance checks for Google, Microsoft, and Yahoo sender requirements. See which providers your domain passes or fails, with specific check details and remediation guidance.
Enforcement & Remediation
Move from p=none to p=reject safely with simulation and rollback.
Guided Enforcement →
Step-by-step progression from monitor to quarantine to reject. Readiness gates block premature advancement. Rollback in one click.
Enforcement Simulator
What-if analysis: replay historical traffic against a proposed policy. See exactly which senders would be affected before changing DNS.
Remediation Playbooks
8 playbook types: sender authorization (SPF), DKIM key rotation, DMARC policy advancement, SPF lookup reduction, MTA-STS configuration, BIMI readiness, dangling DNS remediation, and lookalike domain response.
DNS Management
Direct DNS record publishing via Cloudflare, Route 53, Azure DNS, GoDaddy, or Google Cloud DNS. Drift detection with nightly reconciliation.
SPF Dependency Analysis
Visualize SPF include chains, count DNS lookups, detect redundant entries, and optimize to stay under the 10-lookup limit.
Fix Wizard
Guided remediation workflow: select a change type, preview the current DNS state, describe the change, and submit directly to Change Center for approval and execution.
Threat Intelligence
Detect, investigate, enrich, and take down domain threats.
Spoofing Campaign Detection
Statistical anomaly detection across volume, geography, authentication rates, and sender behavior. Z-score analysis against rolling baselines with multi-dimensional severity scoring. Timeline reconstruction with IP attribution.
Lookalike Domain Monitoring
Detect typosquats, homoglyphs, TLD variants, combo-squats, and subdomain abuse. Risk scoring 0–100 with registration and infrastructure checks.
Takedown Orchestration
Full lifecycle case management: automated evidence collection, multi-channel abuse dispatch (Google Web Risk, Netcraft, URLhaus, registrar/host email), case tracking, and escalation. Downstream action timelines are controlled by third-party providers.
Dangling DNS Detection →
Scan for CNAME takeover risks, orphaned records, and SubdoMailing indicators across your entire domain portfolio.
Third-Party Risk Monitoring
Monitor vendor domains that send email on your behalf. Detect when a vendor’s DMARC posture degrades before it affects your deliverability.
Sender Surface
Unified brand exposure view combining lookalike domains, dangling DNS findings, and sender infrastructure assets into a single overview with composite Brand Risk Score. Enterprise only.
DMARC Failure Root Cause Analysis
When failure rates spike or inbox placement drops, correlate auth failures, sender patterns, DNS changes, and provider signals to rank the most likely cause and next action. Structured RCA with deterministic classification.
IP Reputation Enrichment
Every unknown sender IP enriched from AbuseIPDB, Spamhaus ZEN, and Google Safe Browsing. Composite risk scoring with automatic severity upgrades for high-risk sources.
Certificate Transparency Monitoring
CT logs polled every 6 hours for certificates issued against your domains and lookalike variants. Catch phishing infrastructure before it goes live.
Sender Behavioral Profiling
Hourly sending cadence fingerprinting per source IP. Four anomaly detectors: volume spikes, authentication degradation, sending-hour shifts, and day-of-week pattern changes.
Domain Security Score Forecasting
30/60/90-day score projections using weighted linear regression. Per-dimension key drivers with actionable recommendations.
STIX/TAXII 2.1 Threat Feed
Enterprise: export threat indicators, sightings, and campaigns to Splunk, Sentinel, Elastic, or any TAXII 2.1-compatible SIEM. Four collections, standards-compliant, zero additional cost.
Compliance & Reporting
Generate evidence for audits and keep leadership informed.
11-Framework Compliance
Evidence bundles and control mappings for SOC 2, ISO 27001, NIST CSF, PCI-DSS v4, HIPAA, NIS2, CISA BOD 18-01, NCSC CAF, ASD Essential Eight, SMB1001, and FedRAMP.
AI Executive Summaries
Plain-English summaries for leadership. Weekly digests, monthly briefs, incident narratives, and domain assessments.
Enforcement Proof & Observation
Track what changed, what was approved, what happened during the observation window, and what improved after enforcement. TTD, TTR, TTE metrics and ROI estimation.
Scheduled Reports
Daily, weekly, or monthly reports in PDF, Markdown, or HTML. Delivered via email with shareable links.
BIMI/VMC Workflow
End-to-end BIMI readiness assessment, VMC readiness assessment and lifecycle tracking, and DNS deployment.
Platform & Scale
Enterprise-grade infrastructure for MSPs, MSSPs, and multi-domain organizations.
MSSP Multi-Tenancy
Pooled billing, customer impersonation, portfolio analytics, white-label branding, cross-tenant remediation queue, vendor portfolio view, and bulk operations across managed tenants.
Enterprise SSO
OIDC + SAML 2.0 with SCIM 2.0 automated provisioning. Domain-verified enforcement, JIT provisioning, and group-based role mapping.
25+ Integrations
Slack, Teams, Splunk, Datadog, Elastic, Sentinel, ConnectWise, Autotask, HaloPSA, ServiceNow, Okta, and more.
API & Webhooks
RESTful API with 700+ endpoints, OpenAPI documentation, outbound webhooks with HMAC signing and delivery tracking.
Role-Based Access
Role-based access control with 8 roles across 28 resource types (91 effective permissions). MFA (TOTP + WebAuthn), IP allowlisting, and privileged access management.
Ready to secure your domains?
Start with a free domain check — no account needed. Or jump straight in with a 14-day free trial.