out of the 5.5m domains I scanned, 2.7% with published SPF records have errors that cause a permerror result
the most common: exceeding the 10 dns lookup limit
when SPF returns permerror, it's treated as a fail
DMARC then checks DKIM alignment as a fallback
but if that's also misconfigured, the entire authentication chain collapses
the worst part: no bounce message tells the sender "your SPF has a lookup error"
your email headers contain the entire authentication story
most people never read them
- SPF result
- DKIM signature verification
- DMARC evaluation
- ARC chain status
- receiving server identity
I built the email header analyzer to parse this automatically
get a structured breakdown:
- which checks passed
- which failed
- where the message was routed from
- and what each hop did to the authentication chain
why DMARCguard costs $3.9/domain when the big names charge $200+ for fewer features
dmarcian charges $240/mo for 8 domains and covers 5 protocols
EasyDMARC gutted their free tier
PowerDMARC offers 6 protocols at $15/mo with capped emails
DMARCguard Pro is $6.9/domain with 9 protocols
๐ณ๐ผ๐๐ป๐ฑ๐ถ๐ป๐ด ๐บ๐ฒ๐บ๐ฏ๐ฒ๐ฟ๐ ๐น๐ผ๐ฐ๐ธ ๐ถ๐ป $๐ฏ.๐ต/๐ฑ๐ผ๐บ๐ฎ๐ถ๐ป/๐บ๐ผ ๐ณ๐ผ๐ฟ๐ฒ๐๐ฒ๐ฟ
bootstrap means no VC board demanding 10x ARR
DKIM (RFC 6376) alignment failures are silent killers
the `d=` value in the DKIM signature must align with the `From` header domain for DMARC to pass DKIM alignment
- your ESP signs with `d=esp.example.com`
- but your `From` address is `[email protected]`
the signature is valid
the cryptography checks out
but DMARC alignment fails because the domains don't match
verify your DKIM alignment
not just signature validity
mxcheck v2.0.0 is released! ๐
My open source email server scanner written in #Golang just hit a major version milestone.
New in v2.0.0:
- DANE/TLSA checks per MX host (RFC 6698, RFC 7672)
- Full DMARC parsing
- TLSRPT + BIMI record checks
- TLS cert details
- Extended ASN info
- Improved CLI output + --verbose flag
go install github.com/steffenfritz/[email protected]
PCI DSS 4.0 section 5.4.1: anti-phishing controls are now mandatory
if your organization processes card payments, this applies to you
since march 2025, PCI DSS 4.0 requires mechanisms to detect and protect against phishing
DMARC at enforcement is the most direct technical control you can implement
it prevents attackers from spoofing your exact domain in phishing emails targeting your customers & employees
don't wait for the audit
quick poll for email admins: what's your current dmarc policy?
- [ ] p=none (monitoring only)
- [ ] p=quarantine
- [ ] p=reject (full enforcement)
- [ ] I don't have one yet
- [ ] i'm not sure
most of the 5.5m domains I scanned don't have one at all
if you're at p=none and unsure when to move to enforcement, the honest answer is
depends on how long you've been collecting reports and whether you've identified all your senders
the DMARC market has a coverage problem nobody talks about
most DMARC vendors monitor 3-5 protocols: DMARC, SPF, DKIM, maybe BIMI, maybe MTA-STS
ARC (RFC 8617) matters because mailing lists and forwarding break DKIM
DANE (RFC 7671) matters because it pins TLS certificates via DNSSEC
TLS-RPT (RFC 8460) matters because you need to know when encrypted delivery fails
if you're monitoring half the stack, you're monitoring half the picture
Meysam
PPC Land
ampoffcom
