DMARC Monitoring That
Locks Down Your Sending Domain
Stop spoofing at the source.
DMARC monitoring, SPF and DKIM compliance, MTA-STS monitoring, and TLS-RPT failure reports. In one place. Get to p=reject without breaking your real mail.
Tiers up to 100 domains. See the four-tier breakdown below.
Free on 1 domain. Paid tiers up to 100 domains. No base plan required. Sold separately from Brand Protection.
Email security posture
yourdomain.com
92
Compliance
Four standalone tiers, sized to your domain footprint
All tiers ship the same feature set today. The difference is monitored-domain capacity.
Free
For trying it on one domain
1 domain
- Authentication monitoring
- DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
- Who's sending as you, with ESP attribution
- Posture & enforcement
- Enforcement wizard + known senders
- SPF record builder + flattener
- Reports
- Aggregate + forensic (RUF) reports, last 7 days
- 7-day report + known-sender history
Starter
For small teams with multiple domains
5 domains
- Authentication monitoring
- Up to 5 monitored domains
- DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
- Who's sending as you, with ESP attribution
- Posture & enforcement
- Enforcement wizard + known senders
- SPF record builder + flattener
- Reports & retention
- Aggregate + forensic (RUF) reports
- Full forensic history + 365-day reports
- Detection & AI
- Anomaly detection (4 classes) + alerts
- AI DMARC root-cause analysis
Pro
RecommendedFor mid-size companies with many sending domains
20 domains
- Authentication monitoring
- Up to 20 monitored domains
- DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
- Who's sending as you, with ESP attribution
- Posture & enforcement
- Enforcement wizard + known senders
- SPF record builder + flattener
- Reports & retention
- Aggregate + forensic (RUF) reports
- Full forensic history + 365-day reports
- Higher-volume report ingest
- Detection & AI
- Anomaly detection (4 classes) + alerts
- AI DMARC root-cause analysis
Business
For enterprises and MSPs at scale
100 domains
- Authentication monitoring
- Up to 100 monitored domains
- DMARC, SPF, DKIM, MTA-STS, TLS-RPT & BIMI monitoring
- Who's sending as you, with ESP attribution
- Posture & enforcement
- Enforcement wizard + known senders
- SPF record builder + flattener
- Reports & retention
- Aggregate + forensic (RUF) reports
- Full forensic history + 365-day reports
- Highest-volume report ingest
- Detection & AI
- Anomaly detection (4 classes) + alerts
- AI DMARC root-cause analysis
- Scale
- Built for MSPs & high-volume senders
No base plan requiredEmail Security is sold separately from Brand Protection. Lookalike monitoring lives on its own /pricing page.
Free vs paid: what's included
Every account gets the full monitoring and enforcement toolset free on 1 domain. Paid tiers add depth: full report history, anomaly alerting, AI analysis, and more domains.
| Feature | Free | Starter | Pro | Business |
|---|---|---|---|---|
| Monthly price | $0 | $20 | $69 | $399 |
| Monitored domains | 1 | 5 | 20 | 100 |
| DMARC, SPF & DKIM monitoring | ||||
| MTA-STS + TLS-RPT monitoring | ||||
| Enforcement wizard (p=none to p=reject) | ||||
| Known senders + ESP attribution | ||||
| SPF record builder + flattener | ||||
| Forensic (RUF) report history | 7 days | Full | Full | Full |
| Report + known-sender history | 7 days | 365 days | 365 days | 365 days |
| Anomaly detection (4 classes) + alerts | ||||
| AI DMARC root-cause analysis |
Free includes the full monitoring, posture, and enforcement toolset on 1 domain. Paid tiers add full report history, anomaly alerting, and AI root-cause analysis, and scale to more domains. All data you send is retained; upgrading unlocks the full history instantly. Anomaly alerts are delivered by email, Slack, Teams, and webhook.
The full email-authentication stack
One subscription covers the protocols mail receivers actually check: DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI readiness.
DMARC report ingest
Aggregate (RUA) and forensic (RUF) reports parsed automatically. See exactly which senders pass and fail, broken down by ESP, IP, and country.
Enforcement wizard
Step-by-step walk from p=none to p=reject. We tell you when it is safe to advance. Not on a calendar, but when your real senders are aligned.
MTA-STS guidance + monitoring
Generate the correct DNS records and policy file, then publish them at mta-sts.yourdomain.com. We monitor the published policy daily and alert on drift, expired policies, or MX mismatches.
TLS-RPT failure reports
RFC 8460 aggregate TLS failure reports parsed and bucketed by cause. Certificate-host-mismatch, expired-certificate, STS-policy-mismatch. Catch broken delivery before customers do.
Known senders & ESP attribution
Every unknown source IP is labeled automatically against our ESP CIDR dictionary (Google Workspace, SendGrid, Mailchimp, Postmark, hundreds more). Tag the legit ones as known senders and the enforcement wizard advances on its own once your real traffic is aligning. PhishFence is a monitoring tool: tagging a sender doesn't block anything, it just tells the wizard "this one's mine, don't hold me back."
Up to 365 days of history
Paid tiers keep a full year of reports to explore: trend SPF/DKIM alignment over time, prove compliance for an audit, or trace when a misconfigured sender first started leaking. Free covers the most recent 7 days.
Built for these specific threats
Need lookalike domain monitoring? See Brand Protection →
Frequently asked
What is DMARC monitoring?
How is PhishFence Email Security different from Postmark's DMARC Digests?
Do I need to publish DNS records to use Email Security?
What happens when my DMARC reports arrive at PhishFence?
Can I see the historical data after ingestion?
Get from p=none to p=reject. Safely.
Most domains never advance past p=none because the operator is afraid of breaking real mail. Our enforcement wizard takes the guesswork out.
Free on 1 domain. Paid tiers from $20/mo (5 domains) up to $399/mo (100 domains). Standalone subscription. No Brand Protection plan required. Cancel anytime.