SpoofSentry Product Capabilities

SpoofSentry collects and parses DMARC aggregate reports (RUA) from all receiving mail servers. Reports are decoded from XML, deduplicated, and presented as sender-level visibility. Each sending source IP is automatically matched against a database of known email services (Google Workspace, Microsoft 365, SendGrid, Mailchimp, HubSpot, Amazon SES, and hundreds more) and classified as authorized, unknown, or unauthorized.

AI-assisted sender classification is available on paid plans: 5 summaries/month on Protect, 25 on Enforce, unlimited on Enterprise. Forensic reports (RUF) are supported where receivers send them. Available on all plans including the free Monitor tier.

SpoofSentry evaluates each domain across seven dimensions: SPF record validity and alignment, DKIM key presence and configuration, DMARC policy strength and reporting setup, BIMI record publication, MTA-STS policy enforcement, DNSSEC signing status, and dangling DNS exposure. The result is a 0-100 composite score with per-dimension breakdown. Scores are graded A (90-100) through F (below 60).

Historical score tracking is available on paid plans: 30-day on Protect, 90-day on Enforce, 365-day on Enterprise. Anonymized industry benchmarks allow comparison against similar organizations. A free preview score (DMARC + SPF only) is available at /tools/domain-security-score with no account required.

SpoofSentry validates SPF records including DNS lookup counting (the 10-lookup limit), qualifier analysis, and include-chain visualization. DKIM records are checked for key presence, key strength, algorithm support, and alignment mode. DMARC records are validated for policy completeness, alignment settings, and reporting configuration.

All three protocols are checked for alignment — whether the authenticated domain matches the From header domain. Misalignment is flagged with specific remediation guidance. 16 free diagnostic tools are available at /tools with no account required.

SpoofSentry provides enforcement simulation that replays recent DMARC aggregate report data against a proposed policy change (quarantine or reject). The simulation shows which mail streams would pass, fail, or be affected, broken down by sending source, volume, and alignment status. This allows organizations to identify gaps before changing DNS.

Guided enforcement walks users through p=none → p=quarantine → p=reject with percentage ramping. Each stage has clear success criteria and readiness gates.

Enforcement simulation is available in basic form on Protect (5 historical runs), full form on Enforce (50 runs with export and comparison), and unlimited on Enterprise (with approval workflows). Not available on the free Monitor plan. See guided enforcement for details.

After any policy change, SpoofSentry can revert to the previous enforcement level within minutes via one-click rollback. Automated alerting monitors delivery metrics after every policy change. On Enterprise plans, automatic rollback can be triggered if failure rates exceed a configurable threshold.

Rollback is available for DNS changes made through SpoofSentry's DNS provider integrations (Cloudflare, AWS Route 53, Azure DNS, GoDaddy, Google Cloud DNS).

SpoofSentry enumerates DNS records for each monitored domain and tests external references for liveness. CNAME records are probed for HTTP response signatures indicating unclaimed resources across cloud services (AWS S3, Heroku, GitHub Pages, Azure, Netlify, Vercel, and others). MX records are checked for responsive mail servers. SPF includes are validated for control verification.

Findings are classified by severity: critical (immediate takeover possible), high (decommissioned infrastructure), medium (ambiguous ownership). Continuous scanning detects new dangling records within hours. Alerts are sent via email, Slack, Microsoft Teams, or webhook.

A free scan of common subdomains is available at /tools/dangling-dns-checker. Full monitoring is available on Protect plans and above.

SpoofSentry monitors DNSSEC signing status and chain-of-trust validation for each domain. DANE (DNS-Based Authentication of Named Entities) monitoring validates TLSA records that bind TLS certificates to DNS. MTA-STS policy checking verifies that transport security is correctly configured to prevent TLS downgrade attacks. TLS-RPT record validation confirms reporting is configured for transport security failures.

These checks are included in the Domain Security Score and are available on Protect plans and above.

SpoofSentry supports MSSP and MSP operations with multi-tenant architecture. Each customer tenant has strict data isolation — separate domains, users, policy settings, API access, and dashboard views. MSSPs get a portfolio dashboard showing DMARC enforcement status, domain security scores, and active threats across all customer tenants.

White-label branding is available on Enterprise plans: custom domain, logo, colors, branded reports and emails. MSSP tier limits:

• Starter: 10 customers, 50 domains
• Pro: 50 customers, 500 domains
• Enterprise: unlimited

Portfolio analytics, scheduled reports, and bulk actions require MSSP Pro or Enterprise. See MSSP solution for details.

SpoofSentry integrates with operational tools used by IT teams and MSSPs.

PSA/RMM integrations (Enterprise plan only): ConnectWise Manage, Autotask (Datto), HaloPSA. These create tickets automatically on posture changes, domain score drops, or new security findings.

SIEM integrations (Enforce plan and above): Splunk (including HEC), Microsoft Sentinel, Elastic, Datadog. Events are formatted in CEF and ECS with severity mapping.

ChatOps integrations (Enforce plan and above): Slack, Microsoft Teams, generic webhook. Real-time alerts on policy changes, new senders, score drops.

DNS provider integrations (all paid plans): Cloudflare, AWS Route 53, Azure DNS, GoDaddy, Google Cloud DNS. Enable preview, apply, verify, and rollback for DNS changes.

See integrations page for the full list.

SpoofSentry generates compliance reports mapped to specific framework controls. Supported frameworks: SOC 2, ISO 27001, HIPAA, PCI DSS 4.0, GDPR, NIST 800-177, NIS2, NCSC CAF (UK), and ASD Essential Eight (Australia).

Reports include point-in-time compliance snapshots documenting SPF, DKIM, DMARC, MTA-STS, and BIMI configuration and enforcement history. Export as PDF bundles or structured data via API. HIPAA compliance pack (10 controls) with BAA availability is included on Enterprise plans.

Full compliance reporting is Enterprise-only. Enforce plan includes 6 frameworks.

SpoofSentry provides remediation playbooks for common email security issues: unauthorized sender remediation, DKIM key rotation, DMARC policy advancement (none→quarantine→reject), SPF lookup reduction, MTA-STS configuration, lookalike domain response, BIMI readiness, and dangling DNS remediation.

Execution modes are tiered by plan:

• Monitor: no remediation access
• Protect: manual playbooks (human-triggered DNS changes)
• Enforce: semi-automatic (approval-based automation)
• Enterprise: fully automatic with precondition checks, regression detection, and auto-pause safety gates

SpoofSentry provides a REST API for programmatic access to domain scores, DMARC data, enforcement status, and tenant management. API access is available on Enforce and Enterprise plans.

Webhook notifications deliver real-time events for policy changes, new senders, and score drops to any HTTP endpoint, Slack, PagerDuty, or SOC tooling.

Third-party risk monitoring scans vendor domains for email security posture: 25 vendor domains on Enforce, unlimited on Enterprise. Vendor risk reports are exportable for procurement and due diligence.