DMARCify logoDMARCify
Security & Privacy

Your reports are yours.

DMARC reports describe who's sending mail as you. That's sensitive. Here's exactly how we handle them, what we encrypt, what we never touch, and who we let near them.

Encrypted at rest, always TLS in transit

All storage backends are encrypted at rest. The site is HSTS-preloaded, modern TLS only.

EU + global data plane

Compute runs worldwide. Each org's data lives in the region closest to the owner's first request. Business customers can pin to EU regions.

Principle of least privilege

Auth is OTP + OAuth. Org roles are owner / admin / viewer; viewers cannot mutate. Production access is MFA-required and audited.

Open protocols, no lock-in

Standard protocols all the way down: DMARC's RFC, plain SMTP for ingest, SQL for retrieval. No proprietary tags — every byte is exportable on request.

The full data flow

Every byte, accounted for

Here's everything we store about you and your reports — nothing more.

Account data

Retention: Forever, until you delete your account.
  • Email address (required for sign-in)
  • Optional display name
  • OAuth IDs if you sign in with GitHub or Google
  • Session tokens (rotated, short-lived)
  • Audit-relevant timestamps: created, last digest sent

Organization data

Retention: Until the org is deleted by its owner.
  • Org name and slug
  • Member list and roles
  • Pending invitations (auto-expire after 7 days)
  • Monitored domain list, status, ingest token
  • Live DMARC TXT we observe at your apex (for drift detection)

DMARC report data

Retention: Generous default retention, set conservatively and tuned as the product grows. Exportable any time. Hard-deleted within 30 days of removing a domain.
  • Reporting receiver org (e.g. "google.com")
  • Report ID and date range
  • Source IPs and the row counts they sent
  • Policy evaluated (pass/fail/quarantine/reject)
  • SPF result + DKIM result + alignment flags
  • Header-From domain (when present)

IP enrichment (shared cache)

Retention: Cached globally to avoid hitting upstream resolvers.
  • PTR record
  • ASN + ASN organisation
  • Country code
What we never do
  • We never read the contents of your reports for any purpose other than rendering your dashboard. No analytics on top of your data. No "industry benchmarks" derived from aggregated customer reports.
  • We never sell, share, or rent any data to third parties. Full stop.
  • We never train AI/ML models on your reports. Not ours, not anyone else's.
  • We never send marketing email through your monitored domains. The only mail we send from dmarcify.dev is account/digest mail — your domain never appears in our From: header.
Vulnerability disclosure

Found a bug? Tell us.

We run a coordinated disclosure programme. Report anything you find to security@dmarcify.dev. We acknowledge within 24 hours, aim to fix critical issues within 30 days, and credit (or anonymise, your choice) every valid report.

We don't run a paid bounty programme yet, but we do hand out genuine thanks, a swag pack, and a permanent listing if you'd like one.

Privacy-respecting DMARC, by default.

Sign up, monitor your domain, leave any time. No lock-in, no data hoarding, no surprises.

Start monitoringSee pricing
One DNS record · 60 seconds to set up