Use case IT · DevOps · deliverability

Email trust and compliance

Google and Yahoo now reject mail from senders without DMARC. The path from p=none to p=reject is straightforward in theory and brutal in practice. PhishFence ingests your reports, finds every legitimate sender, and tells you the exact moment it is safe to tighten.

The attacker pattern

An attacker sends email claiming to be from ceo@example.com using a server you do not control. If your domain has no DMARC enforcement policy, most receivers deliver the message to the inbox without complaint. The recipient sees your real domain in the From: header, trusts the message, and gets phished. The attacker never had to register a lookalike. They used yours.

This is the other half of brand impersonation: not registering a fake version of your domain (see typosquatting) but spoofing the real one. Defense is publishing the right DNS records and enforcing them. The protocol stack is DMARC, SPF, DKIM, MTA-STS, and TLS-RPT. The hard part is getting to a policy strict enough to block attackers without blocking your own marketing email along the way.

Anatomy of direct domain spoofing
Attacker SMTP server Not on your SPF list Recipient mailbox Google, Microsoft, Yahoo From: ceo@example.com (forged header) No DMARC enforcement at example.com Receiver has no policy to honor; delivers message Recipient sees real domain · trusts · gets phished

How PhishFence gets you to enforcement

  1. 1

    Publish a DMARC record pointing reports at PhishFence

    One DNS record on _dmarc.[domain] with p=none and a rua address you control. Receivers start mailing aggregate reports daily within 24 hours; no traffic is filtered yet.

  2. 2

    Daily DMARC report ingest with sender attribution

    PhishFence parses every aggregate (rua) and forensic (ruf) report, deduplicates, and enriches each sending IP with PTR, ASN, and ESP attribution. Instead of staring at 209.85.220.41, you see "Google Workspace" or "SendGrid (acme-corp instance)." Unknown senders pop immediately.

  3. 3

    Posture score per domain across the full protocol stack

    A single score across DMARC, SPF, DKIM, MTA-STS, and TLS-RPT tells you exactly which records are weak, which are missing, and which ones attackers love to exploit. The dashboard ranks gaps by impact so you fix what matters first instead of chasing every yellow check.

  4. 4

    Enforcement wizard gated on real alignment

    The wizard refuses to advance you from p=none to quarantine until every real sender you have marked as allowed is currently aligning on SPF or DKIM. Same gate from quarantine to reject. No more guessing whether tomorrow's marketing email gets blocked.

  5. 5

    MTA-STS and TLS-RPT close the transport-layer gap

    PhishFence generates a valid MTA-STS policy plus matching DNS records so mail to your domain is delivered over TLS only. The companion TLS-RPT receiver parses failure reports from receivers, so a quiet downgrade attack never slips past you. Both are required for the strictest sender-requirement frameworks.

What it looks like in PhishFence

Recommended next action

Publish MTA-STS to clear the transport-layer gap.

DMARC grade B 68/100
  • SPF is alignment-clean; DKIM signed by 3 selectors
  • MTA-STS missing · downgrade attack risk
Posture DMARC SPF DKIM BIMI MTA-STS TLS-RPT
The Email Security dashboard leads with a "Next Action" recommendation backed by a posture strip across six protocols (DMARC, SPF, DKIM, BIMI, MTA-STS, TLS-RPT), plus the DMARC grade letter (A+ through F) so you have a single benchmark figure to track over time.
Sending sources · example.com Past 7 days · 4 sources
Source IP rDNS ASN Total SPF DKIM DMARC
209.85.220.41 US mail-sor-f41.google.com Google LLC AS15169 14,203 100% 100% 100%
198.21.6.187 US o1.email.sendgrid.net SendGrid Inc AS11377 2,841 99% 100% 99%
3.222.114.7 US o2.us-east-1.amazonses.com Amazon.com AS14618 412 100% 100% 100%
185.220.101.34 DE - unknown AS396982 87 0% 0% 0%
Every sending IP from your DMARC reports is enriched with reverse DNS, ASN org, and country code so you see "Google LLC" or "SendGrid" instead of a raw IP. Pass-rate columns let you spot a sender misconfiguring DKIM (high SPF, low DKIM) vs an outright spoofer (zero pass everywhere) at a glance.
Enforcement wizard · example.com DMARC enforcement rollout

Rollout progress

Audit
Observe (p=none)
3
Quarantine 10%
4
Ramp to 100%
5
Reject
6
Done
Status: "marketing-tool@acme-newsletter.com" shows SPF pass but DKIM fail in 12% of last week's reports. Fix the DKIM selector publish, wait 24 hours, then the wizard will surface the Advance button.
The wizard walks you through six steps from initial audit to full p=reject. At every step it reads your recent DMARC reports and refuses to surface the "Advance" button until every allowed sender is aligning. Stops you from breaking real mail on a Friday afternoon.

Common pitfalls to avoid

  • Publishing p=reject on day one. Tempting because it is the strict policy, but most domains have at least one legitimate sender that is not aligning yet (a marketing tool with the wrong SPF include, a transactional sender DKIM-signing with the wrong selector). Going straight to reject silently drops real mail. Always sit at p=none for at least a week first.

  • SPF PermError: too many DNS lookups. RFC 7208 caps SPF evaluation at 10 DNS lookups including nested includes. Google Workspace plus SendGrid plus Mailchimp blows past the cap on its own. The fix is SPF flattening: resolve all the includes at publish time into a static list of IP ranges, which counts as one lookup. Use the SPF flattener in the Related tools section below.

  • Confusing SPF / DKIM pass with DMARC alignment. A message can pass SPF and still fail DMARC if the SPF-authenticated domain does not match the From: header domain. Strict alignment requires exact match; relaxed alignment allows subdomain match. Most receivers default to relaxed. If you publish strict alignment without checking your senders first, every ESP using its own envelope-from will fail DMARC even though SPF passes.

  • Ignoring TLS-RPT. MTA-STS by itself enforces TLS, but you only learn about delivery failures if you publish a TLS-RPT record and someone is parsing the reports. A quiet downgrade attack (or an MTA misconfiguration on a receiver side) silently drops messages until somebody notices. PhishFence parses TLS-RPT reports automatically; turn it on the same day you publish the MTA-STS policy.

Which PhishFence tier?

The Email Security Free tier covers one domain forever, fine for a single primary domain with low sender complexity. Starter at $20/month (5 domains) is the right fit for most SMBs running a primary domain plus a couple of brand subdomains or international variants. Pro at $69/month (20 domains) adds higher-volume report ingest plus forensic (ruf) detail for the deep-dive incident postmortems. Business at $399/month (100 domains) is for enterprises and MSPs managing many domains at scale. Brand Protection is a separate subscription line; you can run either product on its own.