Everything you need. Nothing you don't.
DMARCify is built around three jobs: receive your reports reliably, decode them into something a human can act on, and warn you when something changes upstream.
| Domain | Status | Policy | Records | Pass rate | Last |
|---|---|---|---|---|---|
| acme.com | verified | reject 100% | 38,420 | 99% | today |
| send.acme.com | verified | quarantine 50% | 14,002 | 97% | today |
| newsletters.acme.com | verified | none | 5,210 | 88% | 1d ago |
| support.acme.com | verified | reject 100% | 1,212 | 100% | 2h ago |
| staging.acme.com | pending | none | 0 | — | — |
Reports arrive through a hardened email pipeline.
We generate a per-domain mailbox like r-XXX@dmarcify.dev. Receivers send aggregate XML there, Cloudflare Email Routing pipes it into a Worker, we parse and gunzip it (zip too, the standard is messy), then route the rows to the domain's Durable Object.
- Supports .xml, .xml.gz and .zip — the three formats the RFC permits
- Per-domain mailbox token, rotatable from the dashboard
- Hourly DNS re-check warns you if rua= drifts out of your record
- Self-test button sends a fake report through the real pipeline
DNS setup
Add this TXT record on acme.com's DNS.
| Type | TXT |
| Name | _dmarc.acme.com |
| Value | v=DMARC1; p=none; rua=mailto:r-01h8zk7tg9@dmarcify.dev |
Every source IP enriched with provider, ASN, country.
DMARC gives you an IP and a verdict. We give you a name.
- Reverse-DNS resolution per source — hostname surfaced inline
- ASN + ASN org + country code for every IP, cached and de-duplicated
- Match against a curated list of ~80 mail providers (Google, Microsoft 365, Mailgun, Postmark, SendGrid, AWS SES, Klaviyo, …)
- Flag emojis next to every sender — it's silly, it works
Authorized senders
3 sourcesRecognised services sending mail aligned with your domain. Working as intended.
| Source | From: | Provider / ASN | Country | Total | Pass | Fail | SPF | DKIM |
|---|---|---|---|---|---|---|---|---|
google-public-mail.l.google.com 209.85.220.41 | — | Google Workspace AS15169 | 🇺🇸US | 18,420 | 18,402 | 18 | 100% | 100% |
mail-relay.postmarkapp.com 50.31.156.6 | support.acme.com | Postmark AS22606 | 🇺🇸US | 7,211 | 7,211 | 0 | 100% | 100% |
o1.eu.mailhostbox.com 104.47.7.34 | — | Microsoft 365 AS8075 | 🇮🇪IE | 4,012 | 4,005 | 7 | 99% | 100% |
Forwarded mail
1 sourceDKIM-aligned but SPF-broken — the classic signature of a recipient mailbox forwarding your mail elsewhere.
| Source | From: | Provider / ASN | Country | Total | Pass | Fail | SPF | DKIM |
|---|---|---|---|---|---|---|---|---|
mx.fastmail.com 66.111.4.230 | — | Fastmail AS11403 | 🇺🇸US | 612 | 612 | 0 | 0% | 100% |
Unknown / unaligned sources
1 sourceSenders we don't recognise or that aren't aligning. Investigate before raising your DMARC policy.
| Source | From: | Provider / ASN | Country | Total | Pass | Fail | SPF | DKIM |
|---|---|---|---|---|---|---|---|---|
— 185.220.101.47 | ceo.acme.com | AS396982 | 🇳🇱NL | 84 | 0 | 84 | 0% | 0% |
Failures aren't all created equal.
We split your senders into three semantically distinct buckets so the failures that actually matter — not the ones every DMARC deployment ignores — rise to the top.
Recognised sender, aligned outcome. The healthy state — these are the senders you want to see, doing what they should.
google.com · 18,420 records · 100% SPF · 100% DKIMDKIM aligns but SPF doesn't. The fingerprint of a recipient mailbox forwarding mail elsewhere. Looks scary until you know what it is.
mx.fastmail.com · 612 records · 0% SPF · 100% DKIMThe bucket you actually need to read every week. Senders we can't attribute or that aren't aligning — investigate before tightening DMARC.
185.220.101.47 · 84 records · 0% passBuilt for teams, not just individuals.
Organisations & roles
Owner / admin / viewer roles. Invite by email — we handle the invitation flow. Switch orgs from the sidebar; one user can belong to many.
Weekly digest
Plain-text Monday email per user. Pass rate, top senders, anything new. Designed to be read on a phone in the elevator on the way in.
Drift alerts
If your rua= disappears from DNS — usually because someone hit 'reset to default' on the registrar — we surface a rua-mismatch warning on the domain and overview.
Email OTP & OAuth
Sign in with a 6-digit code, GitHub, or Google. No passwords to leak, no sessions that outlive the laptop they were issued on.
Edge-native
Workers + D1 + Durable Objects. Your dashboard loads in <100ms from anywhere — there's no region to pick, no instance size to choose.
What's coming next
We ship in public, and we don't list things we haven't started. Every item below is in flight or queued.
- shipping · this quarterBIMI assistant
Validate your VMC, preview your logo in major receivers, generate the BIMI record.
- shipping · this quarterMulti-tenant for agencies
Create and manage a separate organisation per client from one login. Ownership handoff, scoped invitations, volume discount across all your orgs.
- next · Q3MTA-STS / TLS-RPT monitoring
The other half of the email-deliverability story. Same dashboard.
- next · Q3Anomaly detection
Statistical baselines per sender — get pinged when an authorized service spikes 10x without warning.
- exploringForensic (RUF) reports
Per-message DMARC failure reports for the few receivers that still send them. Useful for incident response.
Stop guessing who sends mail as you.
Add one DNS record. Reports start arriving within 24 hours. €3 per domain per month, 14-day free trial, no card to start.