DMARCify
Security & Privacy

Your reports are yours.

DMARC reports describe who's sending mail as you. That's sensitive. Here's exactly how we handle them, what we encrypt, what we never touch, and who we let near them.

Per-domain isolation

Each monitored domain's reports live in its own SQLite-backed Durable Object. There is no shared SQL database where one tenant's query plan can touch another's rows.

Encrypted at rest, always TLS in transit

All storage backends (D1, KV, Durable Objects) are encrypted at rest by Cloudflare. The site is HSTS-preloaded, modern TLS only.

EU + global data plane

Workers run worldwide. Durable Objects live in the region closest to the org owner's first request. Business customers can pin to EU regions.

No third-party trackers

No Segment, no FullStory, no behavioural analytics on the dashboard. The marketing site uses privacy-respecting Plausible — IPs are never logged.

Principle of least privilege

Auth is OTP + OAuth via better-auth. Org roles are owner / admin / viewer; viewers cannot mutate. Cloudflare access controls are MFA-required for production.

Open-source friendly stack

Built on Workers, Drizzle, better-auth, TanStack. No proprietary lock-in — every piece has a documented escape hatch.

The full data flow

Every byte, accounted for

Here's everything we store about you and your reports — nothing more.

Account data (D1)

Retention: Forever, until you delete your account.
  • Email address (required for sign-in)
  • Optional display name
  • OAuth IDs if you sign in with GitHub or Google
  • Session tokens (rotated, stored in KV, short-lived)
  • Audit-relevant timestamps: created, last digest sent

Organization data (D1)

Retention: Until the org is deleted by its owner.
  • Org name and slug
  • Member list and roles
  • Pending invitations (auto-expire after 7 days)
  • Monitored domain list, status, ingest token
  • Live DMARC TXT we observe at your apex (for drift detection)

DMARC report data (Durable Object per domain)

Retention: Generous default retention, set conservatively and tuned as the product grows. Exportable any time. Hard-deleted within 30 days of removing a domain.
  • Reporting receiver org (e.g. "google.com")
  • Report ID and date range
  • Source IPs and the row counts they sent
  • Policy evaluated (pass/fail/quarantine/reject)
  • SPF result + DKIM result + alignment flags
  • Header-From domain (when present)

IP enrichment (D1, shared cache)

Retention: Cached globally to avoid hitting upstream resolvers.
  • PTR record
  • ASN + ASN organisation
  • Country code
What we never do
  • We never read the contents of your reports for any purpose other than rendering your dashboard. No analytics on top of your data. No "industry benchmarks" derived from aggregated customer reports.
  • We never sell, share, or rent any data to third parties. Full stop.
  • We never train AI/ML models on your reports. Not ours, not anyone else's.
  • We never send marketing email through your monitored domains. The only mail we send from dmarcify.dev is account/digest mail — your domain never appears in our From: header.
Compliance

Where we stand on the paperwork

In placeGDPR-aligned

EU-based operation. EU customer data can be region-pinned on Business plans. Signed DPA available on request.

In placeCCPA-aligned

We act as a service provider, not a data broker. We don't sell personal information — there's no product line that would let us.

In progressSOC 2 Type I

Type I audit underway with Vanta. Report available under NDA to Business customers once issued.

On the roadmapSOC 2 Type II

The Type II observation window begins after Type I lands.

RoadmapISO 27001

Scoped; we'll start the formal audit once the customer mix justifies it. Drop us a line if you need it on your contract.

In placeHIPAA

Not in scope today. Email security@dmarcify.dev if you have a healthcare use case.

Vulnerability disclosure

Found a bug? Tell us.

We run a coordinated disclosure programme. Report anything you find to security@dmarcify.dev. We acknowledge within 24 hours, aim to fix critical issues within 30 days, and credit (or anonymise, your choice) every valid report.

We don't run a paid bounty programme yet, but we do hand out genuine thanks, a swag pack, and a permanent listing if you'd like one.

Privacy-respecting DMARC, by default.

Sign up, monitor your domain, leave any time. No lock-in, no data hoarding, no surprises.

Start monitoringSee pricing
No credit card · One DNS record · 60 seconds to set up