The problem: DMARC data alone is not enough

DMARC aggregate reports are the foundation of email security visibility. They tell you which IPs are sending email as your domain, whether SPF and DKIM passed, and what policy was applied. But they stop there.

A DMARC report showing a failing IP at 185.234.xx.xx tells you authentication failed. It does not tell you whether that IP is a known bulletproof hosting provider used in phishing campaigns, whether someone just issued an SSL certificate for a lookalike of your domain, or whether your legitimate sender's behavior has shifted in a way that suggests account compromise.

That gap between raw authentication data and operational intelligence is where attacks succeed. We built SpoofSentry Threat Intelligence to close it.

What we built

Threat Intelligence ships in three waves, all now live. Pro plans get threat enrichment, forecasting, and sender profiling. Enterprise plans add STIX/TAXII export for SOC integration.

Wave 1: IP reputation enrichment, Certificate Transparency monitoring, and automated takedown lifecycle management
Wave 2: Domain security score forecasting and sender behavioral profiling with anomaly detection
Wave 3: STIX 2.1 serialization and a built-in TAXII 2.1 server for enterprise SIEM integration

IP reputation enrichment

Every source IP that appears in your DMARC reports is now automatically enriched from three reputation databases: AbuseIPDB, Spamhaus, and Google Safe Browsing. Results are cached and refreshed on a rolling basis so lookups never block report processing.

In the Threat Signals dashboard, each IP displays a reputation badge: clean, suspicious, or malicious. When a known-bad IP sends email as your domain, SpoofSentry automatically upgrades the alert severity. Instead of a generic "SPF fail" alert that might sit in your queue for days, you get a critical alert with context: this IP has been reported 847 times for phishing activity across 12 countries.

The practical impact is triage speed. Security teams consistently report that context-rich alerts reduce mean time to respond from hours to minutes because the "is this actually malicious?" investigation is already done.

Certificate Transparency monitoring

Attackers often register lookalike domains and immediately provision SSL certificates to make their phishing sites look legitimate. Certificate Transparency (CT) logs are a public record of every certificate issued by participating CAs, which means they are an early warning system if you know how to watch them.

SpoofSentry polls crt.sh every 6 hours for certificates matching your monitored domains and their common lookalike patterns. When a suspicious certificate appears — such as one issued for your-domain-secure.com oryourdoma1n.com — an alert is created in the CT Monitor dashboard.

From the alert detail page, you can review the certificate issuer, validity period, and subject alternative names. If the certificate is clearly malicious, a single click escalates it into a takedown request. The takedown system then files abuse reports with the registrar, hosting provider, and certificate authority simultaneously. A recheck worker re-verifies the target every few hours and automatically closes the takedown when the threat is confirmed removed.

Score forecasting

Your domain's DMARC Debt Score reflects your current security posture, but security is a trajectory, not a snapshot. Score forecasting uses weighted linear regression across your historical compliance data to project where your score is heading at 30, 60, and 90 days.

Navigate to any domain's detail page to see the forecast chart. The model weights recent data more heavily than older observations, so it responds quickly to policy changes and sender authorization decisions. Each projection includes a confidence interval so you can distinguish between strong trends and noisy data.

This is particularly useful for enforcement planning. If your forecast shows your score reaching the "reject-ready" threshold in 45 days, you can schedule your enforcement progression with confidence. If the trajectory is flat or declining, the forecast highlights which factors are dragging the score down so you know where to focus remediation.

Sender behavioral profiling

Every IP that sends email as your domain develops a behavioral fingerprint over time: when it sends, how much it sends, from which geographies, and with what authentication results. SpoofSentry captures this into hourly heatmaps that show normal sending patterns at a glance.

Four anomaly detectors run continuously against each sender profile:

Volume spikes — sending volume exceeds 3 standard deviations from the baseline
Geographic shifts — email suddenly originates from new countries or ASNs
Authentication degradation — SPF/DKIM pass rates decline over a rolling window
Timing changes — sending patterns shift to unusual hours relative to historical norms

Navigate to Sender Intel to view profiles and active anomaly flags. Behavioral profiling catches threats that static rules miss: a compromised ESP account that starts sending at 3 AM from a new region, or a legitimate sender whose infrastructure change quietly broke DKIM signing. These are the incidents that slip through traditional monitoring because each individual data point looks normal in isolation.

SIEM integration with STIX and TAXII

Enterprise security teams operate in ecosystems, not isolated tools. SpoofSentry's threat data needs to flow into the same platforms where SOC analysts already work: Splunk, Elastic, Microsoft Sentinel, and others.

For Enterprise plan customers, SpoofSentry now includes a built-in TAXII 2.1 server that serves threat data serialized as STIX 2.1 bundles. Four collections are available:

Threat Indicators — IP addresses, domains, and URLs with reputation data and confidence scores
Sightings — Observed events linking indicators to your domain's email traffic
Campaigns — Clustered spoofing campaigns with timeline reconstruction
Vulnerabilities — DNS configuration weaknesses and authentication gaps

Navigate to SIEM Feed to configure the endpoint, test the connection, or download STIX bundles directly. Any TAXII 2.1-compatible client can poll the endpoint on its own schedule. For teams using SpoofSentry's existing Splunk, Elastic, or Sentinel integrations, these feeds complement the event-based forwarding with structured threat intelligence that can power automated playbooks, correlation rules, and threat hunting queries.

Getting started

Threat Intelligence features are available now. Pro plan customers have access to IP reputation enrichment, CT monitoring, score forecasting, and sender profiling. Enterprise plan customers also get the STIX/TAXII export server.

If you are already on a Pro or Enterprise plan, the new Threat Intelligence sidebar group is live in your dashboard. No configuration required for reputation enrichment and CT monitoring — they activate automatically for all monitored domains.

New to SpoofSentry? Start with a free domain security check to see your current DMARC posture, then upgrade to Pro to unlock threat intelligence.

View Plans Free Domain Check