Authentication service · From €79/month

DMARC managed service

From DNS record publication to full p=reject enforcement, with the report ingestion and senders-mapping work done for you. Most organizations move from no DMARC to enforcement in 6\u201310 weeks. Pricing from €79/month per domain.

Start with free DMARC check See pricing →

DMARC stopped being optional in February 2024

In October 2023, Gmail and Yahoo announced new bulk sender requirements. Effective February 2024, senders of more than 5,000 emails per day to either provider must publish DMARC at minimum p=none, with SPF or DKIM aligned authentication. Non-compliance no longer means worse inbox placement. It means outright rejection of mail at scale.

Microsoft has progressively tightened throughout 2025. Apple Mail's privacy treatment of pixel tracking has indirectly pushed senders toward more verifiable authentication signals. The direction of travel is unambiguous: every domain that sends mail at any meaningful volume needs to be DMARC-compliant, and the bar will continue to rise.

For most organizations, DMARC implementation is harder than it looks for a specific reason: it surfaces every sender using your domain, and most organizations have more senders than they think. Marketing platforms, CRM systems, support ticket tools, transactional email providers, internal IT infrastructure, contractor tools, sometimes shadow-IT marketing automation no one centrally tracks. DMARC at p=reject without first mapping all of these is a near-guaranteed delivery incident.

What our managed service actually does

Phase 1 — Setup (Week 1)
  • Audit existing SPF and DKIM configuration
  • Identify obvious authentication gaps (broken DKIM, SPF over 10 lookups, etc.)
  • Publish DMARC TXT record at p=none with reporting addresses pointed at our ingestion endpoint
  • Configure subdomain policy (sp=none) and reporting interval
  • Verify DNS propagation and first reports arriving
Phase 2 — Monitoring and mapping (Weeks 2–6)
  • Daily ingestion of DMARC RUA aggregate reports from all reporting mailbox providers
  • Optional RUF forensic report ingestion (Standard and Premium plans)
  • Sender identification: each unique source IP / signing domain identified by service
  • Authentication remediation: SPF additions, DKIM signing setup at each legitimate source
  • Weekly status report showing percent of mail authenticating correctly
  • Identification of unauthorized abuse attempts (typically present at any domain with brand recognition)
Phase 3 — Progression to enforcement (Weeks 6–10)
  • Move to p=quarantine with pct=10, then pct=50, then pct=100 over 2–3 weeks
  • Monitor for any newly-discovered legitimate senders that surface during enforcement
  • Final progression to p=reject when authentication coverage is complete
  • Subdomain policy (sp=reject) hardened in parallel
  • Documentation of final state for audit purposes
Phase 4 — Ongoing maintenance (monthly)
  • Continued report ingestion and review
  • New sender detection: catches new marketing platforms or CRM additions before they break alignment
  • Abuse pattern monitoring: spikes in unauthorized authentication attempts
  • Monthly review meeting with your team (Standard and Premium plans)
  • BIMI implementation roadmap (Premium plan) once enforcement is established

Pricing

Three plans plus custom. All include the implementation work, not just monitoring. The recurring cost is for the ongoing maintenance, which is the part that protects the implementation from regressing.

Starter
€79/month

1 domain

  • Single domain
  • Aggregate (RUA) reports
  • Quarterly review meeting
  • Email support
  • p=none → p=reject in 6–10 weeks
Most popular
Standard
€149/month

Up to 3 domains

  • Up to 3 domains
  • Aggregate + forensic (RUF) reports
  • Monthly review meeting
  • Priority email and chat support
  • Subdomain policy management
  • Slack integration for alerts (optional)
Premium
€299/month

Up to 10 domains

  • Up to 10 domains
  • Full report processing
  • BIMI implementation roadmap
  • Dedicated technical account manager
  • Bi-weekly check-ins
  • Phone and video support
  • Custom alert routing
Enterprise
Custom

10+ domains

  • Unlimited domains
  • SIEM integration
  • Custom SLA
  • EU-Sovereign tier compatible
  • API access for internal tooling
  • Quarterly executive reporting

Pricing per month, billed quarterly. Annual prepayment receives 10% discount. Setup is included — no separate implementation fee. Cancellation requires 30 days notice; no minimum contract length.

What you receive each month

  • DMARC posture summary. Current policy, percent of mail authenticating, top 5 sources by volume, any new senders detected.
  • Abuse and unauthorized sending report. What unauthorized sources attempted to send as your domain in the last 30 days.
  • Recommended actions. If anything changed (new sender to authenticate, abuse pattern to investigate, ISP behavior change), the prioritized next step.
  • Review meeting (Standard, Premium, Enterprise). 30 minutes to walk through the report with our analyst and answer questions.

When self-managed DMARC makes sense

If your organization has a single sending source (one transactional provider, no marketing tooling, no shadow IT), DIY DMARC is reasonable. Configure SPF, sign with DKIM, publish DMARC at p=none, monitor reports for two months, progress to p=reject. The work is straightforward at that complexity level.

If your organization has 3+ sending sources, contractor tools, or any history of acquisitions that brought in additional senders, self-managed DMARC is harder than it looks. The reports themselves are not difficult to read; the project management of bringing every legitimate source into alignment without breaking anything is where time gets consumed. The managed service exists because that work is more efficient when concentrated, not because the underlying technology is complicated.

Start with a free DMARC check

Tell us your domain. We'll check your current DMARC, SPF, and DKIM posture and send you a 1-page report with the gaps. No commitment. If we identify a useful service fit, we'll mention it; if not, you have the report.

Request free DMARC check