Email Security

Lock down your sending domain.
Stop spoofing at the source.

DMARC monitoring, SPF and DKIM compliance, MTA-STS hosted policy, and TLS-RPT failure reports — in one place. Get to p=reject without breaking your real mail.

$20 /month · or $200/year (save $40)
No base plan required
Start monitoring → See all plans

Up to 3 domains. No base plan required. Included in Business.

Everything you need

The full email-authentication stack

One subscription covers the protocols mail receivers actually check: DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI readiness.

DMARC report ingest

Aggregate (RUA) and forensic (RUF) reports parsed automatically. See exactly which senders pass and fail, broken down by ESP, IP, and country.

Enforcement wizard

Step-by-step walk from p=none to p=reject. We tell you when it is safe to advance — not on a calendar, but when your real senders are aligned.

MTA-STS hosted policy

We host the policy file at mta-sts.yourdomain.com. You add one CNAME and one TXT, and inbound mail starts requiring TLS.

TLS-RPT failure reports

RFC 8460 aggregate TLS failure reports parsed and bucketed by cause — certificate-host-mismatch, expired-certificate, STS-policy-mismatch. Catch broken delivery before customers do.

Sender allowlist & ESP attribution

Every unknown source IP is labeled automatically against our ESP CIDR dictionary — Google Workspace, SendGrid, Mailchimp, Postmark, hundreds more. Tag the legit ones and the wizard advances on its own.

365 days of history

Every report we ingest is kept for a year. Trend SPF/DKIM alignment over time, prove compliance for an audit, or trace when a misconfigured sender first started leaking.

Compare

Standalone, or paired with a plan

Email Security covers email. Starter, Pro, and Business add lookalike domain monitoring, takedown tools, and screenshots.

Email Security only

For senders who already trust their domain

  • DMARC + SPF + DKIM
  • MTA-STS + TLS-RPT
  • Enforcement wizard
  • No lookalike monitoring
  • No screenshots

$20/mo

Start monitoring

Pro + Email Security

For brands fighting both email and domain spoofing

  • Everything in Email Security
  • Up to 10 monitored domains
  • Lookalike domain detection
  • Site screenshots + visual diff
  • Takedown tools

$119/mo

See Pro details

Business (all-in)

For teams that want it all in one bill

  • Email Security included
  • Up to 100 monitored domains
  • Team access (10 members)
  • Audit log export
  • NIS 2, DORA, HIPAA, PCI ready

$299/mo

See Business details

Frequently asked

What is DMARC monitoring?
DMARC monitoring means ingesting the daily aggregate reports that mail receivers (Gmail, Microsoft, Yahoo, etc.) send to the rua address you publish in your DMARC record, then parsing those reports into a dashboard so you can see every IP that sent mail claiming to be your domain, broken down by ESP and pass/fail status. It is the only practical way to detect domain spoofing in real time and to ramp safely from p=none to p=reject.
How is PhishFence Email Security different from Postmark's DMARC Digests?
Postmark's DMARC Digests product is free but covers a single domain. PhishFence Email Security covers up to 3 domains for $20/month, and also ingests forensic (RUF) reports, runs MTA-STS hosted policy on your behalf, parses TLS-RPT failure reports bucketed by cause, and includes an enforcement wizard that walks you from p=none to p=reject when your real senders are actually aligned. If you only need a single-domain DMARC digest, Postmark works. If you operate multiple domains or want TLS-RPT and MTA-STS in the same product, PhishFence is the broader fit.
Do I need to publish DNS records to use Email Security?
Yes, three of them. (1) A DMARC TXT record at _dmarc.yourdomain with rua= pointing to the PhishFence ingest address so receivers send their daily reports to us. (2) A TLS-RPT TXT record at _smtp._tls.yourdomain with rua= pointing to the same so we can collect TLS failure reports. (3) For MTA-STS, a CNAME for mta-sts.yourdomain pointing at PhishFence (we host the policy file) and a TXT at _mta-sts.yourdomain with the policy ID. The product walks you through each one and verifies they resolve.
What happens when my DMARC reports arrive at PhishFence?
Each aggregate (RUA) report is dedup-checked, validated against the publishing org, and parsed into per-IP records. Source IPs are labeled against our ESP CIDR dictionary (Google Workspace, SendGrid, Mailchimp, hundreds more) so you immediately see whether an unknown sender is a known ESP or something suspicious. The records feed your compliance score, the enforcement wizard's safe-to-advance logic, and any alert rules you have configured. Forensic (RUF) reports are parsed the same way and surfaced individually.
Can I see the historical data after ingestion?
Yes. Every report we ingest is retained for 365 days and surfaced in your dashboard with drill-down by domain, ESP, country, and time range. You can trend SPF/DKIM alignment over time, prove compliance posture for an audit, or trace when a misconfigured sender first started leaking.

Get from p=none to p=reject — safely.

Most domains never advance past p=none because the operator is afraid of breaking real mail. Our enforcement wizard takes the guesswork out.

Start monitoring → Check your DMARC record (free)

$20/month or $200/year. Up to 3 domains. Cancel anytime.