Features

DMARC on autopilot. You're still in full control.

Connect a DNS provider, add a domain — DMARCify does the rest. It pushes the TXT record, ingests every aggregate report, decodes the XML, attributes each source IP, classifies who's aligning and who isn't, and ramps your policy from p=none to p=reject the moment the data says it's safe. A short digest tells you what mattered. Everything else just runs.

app.dmarcify.dev/dashboard

Overview

Domains

4 verified · 1 pending

Issues

Fixable across your domains

Compliance

63%total

88%effective

Across 4 verified domains

Pass rate (30d)

98.7%

Domains

Show issues (3)Export CSV

Domain	Status	Policy	Records	Pass rate	Last
acme.com	verified	reject	38,420	99%	today
send.acme.com	verified	quarantine	14,002	97%	today
newsletters.acme.com	verified	none	5,210	88%	1d ago
support.acme.com	verified	reject	1,212	100%	2h ago
staging.acme.com	pending	none	0	—	—

AI auto-policy management

Ramp from `p=none` to `p=reject` without babysitting it.

The hardest part of a DMARC rollout isn't the first TXT record — it's deciding when it's safe to tighten the policy without accidentally bouncing legitimate mail. Turn on auto-policy and DMARCify watches alignment rates, sender mix, and forwarder traffic per domain, then promotes the policy the moment the data clears the bar. You stay in control: opt in per domain, set the guardrails, and we'll back off (or roll back) if something looks off.

Per-domain opt-in — the default is "recommend only"
Promotes only when alignment is stable across a configurable window
Honours pct= ramps so a fraction of mail is policy-applied first
Every change logged with the data that justified it — auditable, reversible
Pauses automatically if alignment drops or an unknown sender spikes

acme.com · auto-policy

enabled

p=noneDay 0
Monitor-only — receivers report, deliverability untouched.
p=quarantineDay 14 · auto
Alignment stable across all authorized senders. Promoted at pct=25, ramps to 100.
p=rejectDay 31 · autocurrent
Two clean weeks at quarantine. Promoted. Spoof attempts now bounce.

Pause auto-policy any time. Every promotion is logged with the alignment data that justified it.

Attribution

Every source IP enriched with provider, ASN, country.

DMARC gives you an IP and a verdict. We give you a name.

Reverse-DNS resolution per source — hostname surfaced inline
ASN + ASN org + country code for every IP, cached and de-duplicated
Match against a curated list of ~80 mail providers (Google, Microsoft 365, Mailgun, Resend, SendGrid, AWS SES, Klaviyo, …)
Header-From divergence flagged when a sender spoofs a cousin domain
Flag emojis next to every sender — it's silly, it works

app.dmarcify.dev/dashboard/domains/acme.com

acme.com

Status: verifiedDomain:rejectSubdomain:quarantine

Send test reportoverviewsetup

Reports (30d)

1,842

Records (30d)

38,420

Pass rate 99.4%

Last seen

14:08 today

Volume by day

aligned (pass) unaligned (fail)

Authorized senders

3 sources

Recognised services sending mail aligned with your domain. Working as intended.

Source	From:	Provider / ASN	Country	Total	Pass	Fail	SPF	DKIM
google-public-mail.l.google.com 209.85.220.41	—	Google Workspace AS15169	🇺🇸US	18,420	18,402	18	100%	100%
a48-100.smtp-out.amazonses.com 54.240.48.100	support.acme.com	Amazon SES AS14618	🇺🇸US	7,211	7,211	0	100%	100%
o1.eu.mailhostbox.com 104.47.7.34	—	Microsoft 365 AS8075	🇮🇪IE	4,012	4,005	7	99%	100%

Forwarded mail

1 source

DKIM-aligned but SPF-broken — the classic signature of a recipient mailbox forwarding your mail elsewhere.

Source	From:	Provider / ASN	Country	Total	Pass	Fail	SPF	DKIM
mx.fastmail.com 66.111.4.230	—	Fastmail AS11403	🇺🇸US	612	612	0	0%	100%

Unknown / unaligned sources

1 source

Senders we don't recognise or that aren't aligning. Investigate before raising your DMARC policy.

Source	From:	Provider / ASN	Country	Total	Pass	Fail	SPF	DKIM
— 185.220.101.47	ceo.acme.com	AS396982	🇳🇱NL	84	0	84	0%	0%

Categorisation

Failures aren't all created equal.

We split your senders into three semantically distinct buckets so the failures that actually matter — not the ones every DMARC deployment ignores — rise to the top. The auto-policy engine reads the same buckets, which is why it can ramp safely without you reviewing every report.

Authorized

Recognised sender, aligned outcome. The healthy state — these are the senders you want to see, doing what they should.

google.com · 18,420 records · 100% SPF · 100% DKIM

Forwarded

DKIM aligns but SPF doesn't. The fingerprint of a recipient mailbox forwarding mail elsewhere. Looks scary until you know what it is.

mx.fastmail.com · 612 records · 0% SPF · 100% DKIM

Unknown / unaligned

The bucket you actually need to read every week. Senders we can't attribute or that aren't aligning — investigate before tightening DMARC.

185.220.101.47 · 84 records · 0% pass

Setup

One credential, every zone. One click, the record's live.

Connect a DNS provider once — DMARCify caches every zone you can reach and pushes the per-domain DMARC TXT with a single click. No provider? Paste the value we generate and verification still flips on automatically.

Direct integrations for Cloudflare, Vercel, Azure DNS, GoDaddy, AWS Route 53, Google Cloud DNS
One credential covers your whole estate — 1 zone or 1,000, same flow
Per-domain rua mailbox generated automatically — no shared inbox to leak
Verification flips the moment we see your record live — no manual recheck
Already on another DMARC tool? Add ours alongside, compare, cut over when ready

app.dmarcify.dev/dashboard/providers

GoDaddy DNSRename

GoDaddy DNS · active

251 zones cached for one-click setup

RefreshDelete

Applies to

All domains

Every DMARCify domain this credential can reach.

Selected domains

Only the ones you tick below.

Paused

Keep the credential, do nothing for now.

Automatic management

Push approved DMARC changes within this scope without re-confirmation.

Save

Operations

Quiet by default. Loud only when something matters.

DMARCify is built so the dashboard's there when you want it — and ignorable when you don't. The pipeline runs, the policy ramps, and you only hear from us when there's a reason.

Organisations & roles

Owner / admin / viewer roles. Invite by email — we handle the invitation flow. Switch orgs from the sidebar; one user can belong to many.

Weekly (or daily) digest

Plain-text email per user — weekly by default, daily when you want it on Pro or Agency. Pass rate, top senders, anything new. Designed to be read on a phone in the elevator on the way in.

DNS drift alerts

Daily re-check of your DMARC TXT. If your rua= disappears — usually because someone hit 'reset to default' on the registrar — we surface a rua-mismatch warning on the domain and overview before you lose visibility.

Sortable, searchable everything

Overview across all domains with sort, search, filter. 30-day volume chart per domain with pass/fail split. Source IP table with provider, ASN, country, header-From.

Tenant isolation

Every read is scoped per organisation at the application layer. One tenant can never see another's reports — including ours.

EU-based, exportable

Operator's in the EU. Signed DPA on request. Export your reports any time straight from the dashboard — no lock-in, no support ticket required.

For agencies

One login. Every client. Your brand on every screen.

Agency turns DMARCify into a multi-tenant rollout platform. Spin up a separate organisation per client, white-label it with your brand, run the rollout, and hand the org back when you're done — the client keeps all the history.

Unlimited client organisations from one login
White-label per org: brand name, logo, primary colour, support email, optional custom domain
Per-organisation invitations and roles (owner / admin / viewer)
Org switcher in the dashboard for fast context-switching
Volume discount sums domains across every org you manage — your whole book, one tier
Hand off org ownership to the client when the rollout's done

Org switcher

25 domains · vol. tier

NT
Northwind Traders
4 domains · p=reject
active
CL
Contoso Logistics
12 domains · p=quarantine
FB
Fabrikam Beverages
2 domains · p=none → quarantine
AW
Adventure Works
7 domains · p=reject

Each org carries its own brand, members, and DNS provider connections. Domain count rolls up across the whole book.

Roadmap

What's coming next

We ship in public. Recently shipped at the top, in flight and queued below.

shippedAI auto-policy management
Per-domain auto-promotion from p=none → quarantine → reject, gated on alignment stability and sender mix. Opt-in, auditable, reversible.
shippedMulti-tenant for agencies
Manage a separate organisation per client from one login. Ownership handoff, scoped invitations, volume discount across all your orgs. White-label each client org with your brand name, logo, primary colour, support email and optional custom domain.
shippedAnomaly detection
Statistical baselines per sender — get pinged when an authorized service spikes 10x without warning.
shipping · this quarterMTA-STS / TLS-RPT monitoring
The other half of the email-deliverability story. Same dashboard.
exploringBIMI assistant
Validate your VMC, preview your logo in major receivers, generate the BIMI record.
shipping · this quarterForensic (RUF) reports
Per-message DMARC failure reports for the few receivers that still send them. Useful for incident response.

Stop guessing who sends mail as you.

Add one DNS record. Reports start arriving within 24 hours. From €5 per domain per month with a 14-day free trial — payment method required, cancel any time during the trial.

Start monitoring See pricing

One DNS record · 60 seconds to set up