DMARC Watch

Read your DMARC reports before someone spoofs you

Point your domain's rua tag at an address we host. Google, Microsoft, and Yahoo mail you XML telemetry about every message claiming to be you; we parse it into a dashboard, a weekly digest, and four alerts that matter.

Flat packs for MSPs managing 10 to 120 domains. No per-mail metering, no 100 EUR floor.

Sample alert
Domain
client-shop.example
Rule
New failing source
Source
203.0.113.7
Volume
142 messages, all failing
Advice
Looks like spoofing. Not in your SPF, no DKIM signature.

How it works

  1. Add a domain. You get a unique ingest address like rua-a1b2c3@inboxbot.email and a copy-paste DNS record.
  2. Publish the record. Mailbox providers start mailing aggregate reports within a day.
  3. We parse every report: sending sources, SPF and DKIM results, dispositions, volumes.
  4. You get a per-domain dashboard, a Monday digest, and alerts for the four situations worth waking up for.

The transport is store-and-forward SMTP: report senders retry for days, so nothing is lost to maintenance windows.

The four alerts

  1. New failing source. An IP you have never seen sends aligned-failing mail above threshold: the signature of a spoofing run.
  2. Pass rate drop. Week-over-week alignment fell more than ten points: a broken DKIM key or a forgotten SPF include.
  3. Report flow stopped. Seven days of silence usually means somebody edited the DNS record.
  4. Ready for enforcement. A month at p=none with a clean pass rate: time to move to p=quarantine.

Pricing

PlanDomainsPer month
Free10 €Start free
Solo38 €Subscribe
Team1019 €Subscribe
MSP5049 €Subscribe
MSP+12089 €Subscribe

Free keeps 30 days of raw data; paid plans keep 90 days of raw records and rollups forever. Billing runs through Polar.sh with a self-serve customer portal.

Questions

Why do I need this at all?

Since 2024 the large mailbox providers require SPF, DKIM, and a DMARC policy from bulk senders, and Microsoft now rejects non-compliant high-volume mail outright. Publishing a policy without reading the reports is a smoke detector with no speaker.

Where does my data live?

On our own hardware in the EU. Reports contain source IP addresses; raw records are kept 90 days, daily rollups indefinitely, and you can export everything as CSV.

What about forensic (ruf) reports?

Not ingested. Almost no provider sends them and they carry message content; aggregate reports are the useful, privacy-sane signal.

Do you send mail on my behalf?

No. We only receive telemetry about mail others claim you sent.