SpoofSentry Product Capabilities

SpoofSentry collects and parses DMARC aggregate reports (RUA) from all receiving mail servers. Reports are decoded from XML, deduplicated, and presented as sender-level visibility. Each sending source IP is automatically matched against a database of known email services (Google Workspace, Microsoft 365, SendGrid, Mailchimp, HubSpot, Amazon SES, and hundreds more) and classified as authorized, unknown, or unauthorized.

AI-assisted sender classification is available on paid plans: 5 summaries/month on Protect, 25 on Enforce, unlimited on Enterprise. Forensic reports (RUF) are supported where receivers send them. Available on all plans including the free Monitor tier.

Classification methodology

Sender classification uses three input signals: reverse DNS patterns of sending IPs, SPF include chain fingerprints, and DKIM signing domain matches. Each signal is compared against a built-in registry of known email service providers. Confidence scores (0–1) reflect how many signals matched and their specificity. Classification results are advisory — operators can override any classification through the sender inventory UI. AI-generated executive summaries use these classifications as input but do not make enforcement decisions autonomously.

Detected providers ({26+})

The built-in provider registry covers enterprise email (Google Workspace, Microsoft 365, Salesforce), transactional ESPs (SendGrid, Mailgun, Postmark, Amazon SES, SparkPost, Zendesk, Freshdesk, Intercom), marketing ESPs (Mailchimp, HubSpot), security gateways (Mimecast, Proofpoint, Barracuda), and infrastructure providers (Cloudflare email routing). Tenants can correct misclassifications and manually govern sender authorization status. Provider detection maturity is GA for all listed providers.

SpoofSentry evaluates each domain across nine weighted dimensions: DMARC policy strength, SPF alignment rate, DKIM alignment rate, sender coverage, MTA-STS policy enforcement, BIMI readiness, lookalike threat exposure, managed SPF/DKIM configuration, and DANE/TLSA validation. The result is a 0-100 composite score with per-dimension breakdown. Scores are graded A+ (95+) through F (below 25).

Historical score tracking is available on paid plans: 30-day on Protect, 90-day on Enforce, 365-day on Enterprise. Anonymized industry benchmarks allow comparison against similar organizations. A free preview score (DMARC + SPF only) is available at /tools/domain-security-score with no account required.

SpoofSentry validates SPF records including DNS lookup counting (the 10-lookup limit), qualifier analysis, and include-chain visualization. DKIM records are checked for key presence, key strength, algorithm support, and alignment mode. DMARC records are validated for policy completeness, alignment settings, and reporting configuration.

All three protocols are checked for alignment — whether the authenticated domain matches the From header domain. Misalignment is flagged with specific remediation guidance. 16 free diagnostic tools are available at /tools with no account required.

SpoofSentry provides enforcement simulation that replays recent DMARC aggregate report data against a proposed policy change (quarantine or reject). The simulation shows which mail streams would pass, fail, or be affected, broken down by sending source, volume, and alignment status. This allows organizations to identify gaps before changing DNS.

Guided enforcement walks users through p=none → p=quarantine → p=reject with percentage ramping. Each stage has clear success criteria and readiness gates.

Enforcement simulation is available in basic form on Protect (5 historical runs), full form on Enforce (50 runs with export and comparison), and unlimited on Enterprise (with approval workflows). Not available on the free Monitor plan. See guided enforcement for details.

SpoofSentry continuously monitors DMARC authentication failure rates after every policy change. On Enterprise plans, you can configure auto-rollback policies with custom failure-rate thresholds, evaluation windows, and cooldown periods. When the auth failure rate breaches your threshold, SpoofSentry automatically reverts to the previous enforcement level for supported record types (TXT, CNAME, TLSA). Dry-run mode lets you validate rollback rules before enabling live execution.

Automatic rollback is available for DNS changes made through SpoofSentry's DNS provider integrations (Cloudflare, AWS Route 53, Azure DNS, GoDaddy, Google Cloud DNS). Changes involving DNSSEC key material or registrar-level DS records require assisted rollback through support.

SpoofSentry enumerates DNS records for each monitored domain and tests external references for liveness. CNAME records are probed for HTTP response signatures indicating unclaimed resources across cloud services (AWS S3, Heroku, GitHub Pages, Azure, Netlify, Vercel, and others). MX records are checked for responsive mail servers. SPF includes are validated for control verification.

Findings are classified by severity: critical (immediate takeover possible), high (decommissioned infrastructure), medium (ambiguous ownership). Continuous scanning detects new dangling records within hours. Alerts are sent via email, Slack, Microsoft Teams, or webhook.

A free scan of common subdomains is available at /tools/dangling-dns-checker. Full monitoring is available on Protect plans and above.

SpoofSentry monitors DNSSEC signing status for each domain. DANE (DNS-Based Authentication of Named Entities) monitoring validates TLSA records that bind TLS certificates to DNS. MTA-STS policy checking verifies that transport security is correctly configured to prevent TLS downgrade attacks. TLS-RPT record validation confirms reporting is configured for transport security failures.

These checks are included in the Domain Security Score and are available on Protect plans and above.

SpoofSentry supports MSSP and MSP operations with multi-tenant architecture. Each customer tenant has strict data isolation — separate domains, users, policy settings, API access, and dashboard views. MSSPs get a portfolio dashboard showing DMARC enforcement status, domain security scores, and active threats across all customer tenants.

White-label branding is available on Enterprise plans: custom domain, logo, colors, branded reports and emails. MSSP tier limits:

• Starter: 10 customers, 50 domains
• Pro: 50 customers, 500 domains
• Enterprise: unlimited

Portfolio analytics, scheduled reports, and bulk actions require MSSP Pro or Enterprise. See MSSP solution for details.

SpoofSentry integrates with operational tools used by IT teams and MSSPs.

PSA/RMM integrations (Enterprise plan only): ConnectWise Manage, Autotask (Datto), HaloPSA. These create tickets automatically on posture changes, domain score drops, or new security findings.

SIEM integrations (Enforce plan and above): Splunk (including HEC), Microsoft Sentinel, Elastic, Datadog. Events are formatted in CEF and ECS with severity mapping.

ChatOps integrations (Enforce plan and above): Slack, Microsoft Teams, generic webhook. Real-time alerts on policy changes, new senders, score drops.

DNS provider integrations (all paid plans): Cloudflare, AWS Route 53, Azure DNS, GoDaddy, Google Cloud DNS. Enable preview, apply, verify, and rollback for DNS changes.

See integrations page for the full list.

SpoofSentry generates compliance reports mapped to specific framework controls. Supported frameworks: SOC 2, ISO 27001, HIPAA, PCI-DSS v4.0, GDPR, NIST CSF, NIS2, NCSC CAF, and ASD Essential Eight.

Reports include point-in-time compliance snapshots documenting SPF, DKIM, DMARC, MTA-STS, and BIMI configuration and enforcement history. Export as PDF bundles or structured data via API. HIPAA compliance pack (10 controls) with BAA availability is included on Enterprise plans.

Full compliance reporting is Enterprise-only. Enforce plan includes 6 frameworks.

SpoofSentry provides remediation playbooks for common email security issues: unauthorized sender remediation, DKIM key rotation, DMARC policy advancement (none→quarantine→reject), SPF lookup reduction, MTA-STS configuration, lookalike domain response, BIMI readiness, and dangling DNS remediation.

Execution modes are tiered by plan:

• Monitor: no remediation access
• Protect: manual playbooks (human-triggered DNS changes)
• Enforce: semi-automatic (approval-based automation)
• Enterprise: fully automatic with precondition checks, regression detection, and auto-pause safety gates

SpoofSentry provides a REST API for programmatic access to domain scores, DMARC data, enforcement status, and tenant management. API access is available on Enforce and Enterprise plans.

Webhook notifications deliver real-time events for policy changes, new senders, and score drops to any HTTP endpoint, Slack, PagerDuty, or SOC tooling.

Third-party risk monitoring scans vendor domains for email security posture: 25 vendor domains on Enforce, unlimited on Enterprise. Vendor risk reports are exportable for procurement and due diligence.