Compliance & Third-Party Risk

SpoofSentry generates point-in-time evidence bundles that document your email authentication posture. Each bundle includes the current state of SPF, DKIM, DMARC, MTA-STS, and BIMI records, enforcement history showing policy progression over time, DMARC report summaries with pass/fail rates, and Domain Security Score snapshots with per-dimension breakdowns.

Bundles are exportable as PDF for auditor review or as structured JSON via API for integration with GRC platforms. Evidence is timestamped and includes the data collection methodology so auditors can verify the scope. Bundles can be generated on demand or scheduled for recurring delivery.

Compliance reports map SpoofSentry findings to specific framework controls. Supported frameworks: SOC 2 (CC6.1, CC7.2), ISO 27001 (A.13.2, A.14.1), HIPAA (45 CFR 164.312), PCI DSS 4.0, GDPR (Article 32), NIST CSF, NIS2, NCSC CAF, and ASD Essential Eight.

Each control mapping shows the current compliance status (met, partially met, not met), the evidence supporting that assessment, and remediation guidance for gaps. Full framework mapping across all eleven frameworks requires Enterprise. Enforce plans include six frameworks.

SpoofSentry provides a dedicated HIPAA compliance pack covering 10 controls related to email authentication and transport security. The pack documents SPF, DKIM, and DMARC enforcement status, MTA-STS transport encryption policy, and TLS-RPT reporting configuration as they relate to the HIPAA Security Rule requirements for transmission security (45 CFR 164.312(e)(1)).

Business Associate Agreement (BAA) availability is included on Enterprise plans. The HIPAA evidence bundle is formatted for submission to compliance officers and external auditors with control-level mapping and gap analysis.

SpoofSentry monitors the email security posture of third-party vendor domains. For each vendor domain, SpoofSentry checks SPF, DKIM, DMARC, MTA-STS, and DNSSEC configuration and produces a Domain Security Score. Vendor domains that lack enforcement or have misconfigured records are flagged as risks to your supply chain.

Vendor risk reports are exportable for procurement and due diligence workflows. Enforce plans include monitoring for 25 vendor domains. Enterprise plans include unlimited vendor domains. Alerts are sent when a monitored vendor's posture degrades.

When a monitored vendor domain experiences a security posture change (for example, DMARC policy downgrade, SPF record removal, or DKIM key expiration), SpoofSentry creates a supplier incident linked to the affected vendor. Supplier incidents are tracked in the same incident queue as your own domain threats, with dedicated filtering for third-party issues.

Supplier incidents include the vendor domain, the specific change detected, the business impact assessment (which of your domains interact with this vendor), and suggested response actions. This gives procurement and security teams actionable intelligence when a vendor's email security degrades.

SpoofSentry generates executive-level reports that summarize email security posture without technical jargon. The posture scorecard presents the overall Domain Security Score, enforcement status, threat activity, and trend direction in a single-page format suitable for board reporting or management review.

Executive reports can be scheduled for recurring delivery (weekly, monthly, quarterly) and are available as branded PDFs. For MSSP partners, portfolio-level executive reports aggregate posture across all customer tenants. Reports include period-over-period comparison so leadership can see whether security posture is improving, holding, or degrading.