Skip to main content
Email Security

DMARC Monitoring That
Locks Down Your Sending Domain

Stop spoofing at the source.

DMARC monitoring, SPF and DKIM compliance, MTA-STS monitoring, and TLS-RPT failure reports. In one place. Get to p=reject without breaking your real mail.

From $20 /month · free on 1 domain

Tiers up to 100 domains. See the four-tier breakdown below.

No base plan required

Free on 1 domain. Paid tiers up to 100 domains. No base plan required. Sold separately from Brand Protection.

Choose your tier

Four standalone tiers, sized to your domain footprint

All tiers ship the same feature set today. The difference is monitored-domain capacity.

Free

For trying it on one domain

$0 /mo

1 domain

  • Authentication monitoring
  • DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
  • Who's sending as you, with ESP attribution
  • Posture & enforcement
  • Enforcement wizard + known senders
  • SPF record builder + flattener
  • Reports
  • Aggregate + forensic (RUF) reports, last 7 days
  • 7-day report + known-sender history

Starter

For small teams with multiple domains

$20 /mo

5 domains

  • Authentication monitoring
  • Up to 5 monitored domains
  • DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
  • Who's sending as you, with ESP attribution
  • Posture & enforcement
  • Enforcement wizard + known senders
  • SPF record builder + flattener
  • Reports & retention
  • Aggregate + forensic (RUF) reports
  • Full forensic history + 365-day reports
  • Detection & AI
  • Anomaly detection (4 classes) + alerts
  • AI DMARC root-cause analysis

Pro

Recommended

For mid-size companies with many sending domains

$69 /mo

20 domains

  • Authentication monitoring
  • Up to 20 monitored domains
  • DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
  • Who's sending as you, with ESP attribution
  • Posture & enforcement
  • Enforcement wizard + known senders
  • SPF record builder + flattener
  • Reports & retention
  • Aggregate + forensic (RUF) reports
  • Full forensic history + 365-day reports
  • Higher-volume report ingest
  • Detection & AI
  • Anomaly detection (4 classes) + alerts
  • AI DMARC root-cause analysis

Business

For enterprises and MSPs at scale

$399 /mo

100 domains

  • Authentication monitoring
  • Up to 100 monitored domains
  • DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
  • Who's sending as you, with ESP attribution
  • Posture & enforcement
  • Enforcement wizard + known senders
  • SPF record builder + flattener
  • Reports & retention
  • Aggregate + forensic (RUF) reports
  • Full forensic history + 365-day reports
  • Highest-volume report ingest
  • Detection & AI
  • Anomaly detection (4 classes) + alerts
  • AI DMARC root-cause analysis
  • Scale
  • Built for MSPs & high-volume senders

No base plan requiredEmail Security is sold separately from Brand Protection. Lookalike monitoring lives on its own /pricing page.

Free vs paid: what's included

Every account gets the full monitoring and enforcement toolset free on 1 domain. Paid tiers add depth: full report history, anomaly alerting, AI analysis, and more domains.

Feature Free Starter Pro Business
Monthly price $0 $20 $69 $399
Monitored domains 1 5 20 100
DMARC, SPF & DKIM monitoring
MTA-STS + TLS-RPT monitoring
Enforcement wizard (p=none to p=reject)
Known senders + ESP attribution
SPF record builder + flattener
Forensic (RUF) report history 7 days Full Full Full
Report + known-sender history 7 days 365 days 365 days 365 days
Anomaly detection (4 classes) + alerts
AI DMARC root-cause analysis

Free includes the full monitoring, posture, and enforcement toolset on 1 domain. Paid tiers add full report history, anomaly alerting, and AI root-cause analysis, and scale to more domains. All data you send is retained; upgrading unlocks the full history instantly. Anomaly alerts are delivered by email, Slack, Teams, and webhook.

Everything you need

The full email-authentication stack

One subscription covers the protocols mail receivers actually check: DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI readiness.

DMARC report ingest

Aggregate (RUA) and forensic (RUF) reports parsed automatically. See exactly which senders pass and fail, broken down by ESP, IP, and country.

Enforcement wizard

Step-by-step walk from p=none to p=reject. We tell you when it is safe to advance. Not on a calendar, but when your real senders are aligned.

MTA-STS guidance + monitoring

Generate the correct DNS records and policy file, then publish them at mta-sts.yourdomain.com. We monitor the published policy daily and alert on drift, expired policies, or MX mismatches.

TLS-RPT failure reports

RFC 8460 aggregate TLS failure reports parsed and bucketed by cause. Certificate-host-mismatch, expired-certificate, STS-policy-mismatch. Catch broken delivery before customers do.

Known senders & ESP attribution

Every unknown source IP is labeled automatically against our ESP CIDR dictionary (Google Workspace, SendGrid, Mailchimp, Postmark, hundreds more). Tag the legit ones as known senders and the enforcement wizard advances on its own once your real traffic is aligning. PhishFence is a monitoring tool: tagging a sender doesn't block anything, it just tells the wizard "this one's mine, don't hold me back."

Up to 365 days of history

Paid tiers keep a full year of reports to explore: trend SPF/DKIM alignment over time, prove compliance for an audit, or trace when a misconfigured sender first started leaking. Free covers the most recent 7 days.

Use cases

Built for these specific threats

Need lookalike domain monitoring? See Brand Protection →

Frequently asked

What is DMARC monitoring?
DMARC monitoring means ingesting the daily aggregate reports that mail receivers (Gmail, Microsoft, Yahoo, etc.) send to the rua address you publish in your DMARC record, then parsing those reports into a dashboard so you can see every IP that sent mail claiming to be your domain, broken down by ESP and pass/fail status. It is the only practical way to detect domain spoofing in real time and to ramp safely from p=none to p=reject.
How is PhishFence Email Security different from Postmark's DMARC Digests?
Postmark's DMARC Digests product is free but covers a single domain. PhishFence Email Security covers up to 5 domains for $20/month, and also ingests forensic (RUF) reports, generates your MTA-STS DNS records and policy file and monitors the live policy for drift, parses TLS-RPT failure reports bucketed by cause, and includes an enforcement wizard that walks you from p=none to p=reject when your real senders are actually aligned. If you only need a single-domain DMARC digest, Postmark works. If you operate multiple domains or want TLS-RPT and MTA-STS in the same product, PhishFence is the broader fit.
Do I need to publish DNS records to use Email Security?
Yes, three of them. (1) A DMARC TXT record at _dmarc.yourdomain with rua= pointing to the PhishFence ingest address so receivers send their daily reports to us. (2) A TLS-RPT TXT record at _smtp._tls.yourdomain with rua= pointing to the same so we can collect TLS failure reports. (3) For MTA-STS, you publish a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt and a TXT record at _mta-sts.yourdomain declaring the policy ID. Our generator outputs both for copy-paste; we monitor your live policy and alert on drift. The product walks you through each one and verifies they resolve.
What happens when my DMARC reports arrive at PhishFence?
Each aggregate (RUA) report is dedup-checked, validated against the publishing org, and parsed into per-IP records. Source IPs are labeled against our ESP CIDR dictionary (Google Workspace, SendGrid, Mailchimp, hundreds more) so you immediately see whether an unknown sender is a known ESP or something suspicious. The records feed your compliance score, the enforcement wizard's safe-to-advance logic, and any alert rules you have configured. Forensic (RUF) reports are parsed the same way and surfaced individually.
Can I see the historical data after ingestion?
Yes. Every report we ingest is retained for 365 days and surfaced in your dashboard with drill-down by domain, ESP, country, and time range. You can trend SPF/DKIM alignment over time, prove compliance posture for an audit, or trace when a misconfigured sender first started leaking.

Get from p=none to p=reject. Safely.

Most domains never advance past p=none because the operator is afraid of breaking real mail. Our enforcement wizard takes the guesswork out.

Free on 1 domain. Paid tiers from $20/mo (5 domains) up to $399/mo (100 domains). Standalone subscription. No Brand Protection plan required. Cancel anytime.