DMARC Enforcement Automation

SpoofSentry manages the standard DMARC enforcement path: p=none (monitor only, no action on failing mail), p=quarantine (failing mail goes to spam/junk), and p=reject (failing mail is dropped). Each transition is gated by readiness criteria derived from your actual DMARC report data.

Percentage ramping is supported at each stage. For example, moving from none to quarantine can start at pct=10 and increment to pct=100 over days or weeks as confidence builds. SpoofSentry tracks pass/fail rates at each percentage level and recommends when to advance or hold.

Before changing your DMARC policy in DNS, SpoofSentry replays recent aggregate report data against the proposed policy. The simulation shows exactly which mail streams would pass, fail, or be affected, broken down by sending source, volume, SPF alignment, and DKIM alignment.

Simulation results identify senders that would be impacted, letting you fix alignment issues before enforcement rather than after. Simulations can be run repeatedly as you remediate senders to verify readiness. Available on Protect (5 historical runs), Enforce (50 runs with export), and Enterprise (unlimited with approval workflows).

SpoofSentry automatically identifies enforcement blockers — legitimate senders that would fail under a stricter policy. Blockers are classified by type: missing SPF alignment, missing DKIM alignment, misconfigured third-party services, and unidentified senders with significant volume.

Each blocker includes remediation guidance specific to the sender (for example, “add include:spf.protection.outlook.com to your SPF record” or “enable DKIM signing in your SendGrid account settings”). Blockers must be resolved or explicitly accepted before enforcement progression is recommended.

SpoofSentry maintains a sender registry for each domain: every IP and service that has sent mail on behalf of your domain, classified as authorized, unknown, or unauthorized. New senders are flagged for review when they first appear in DMARC reports.

Sender governance prevents enforcement surprises. When a new marketing tool or SaaS application starts sending from your domain, SpoofSentry detects it from report data and alerts you before enforcement would block it. Sender classification can be managed manually or with AI-assisted identification on paid plans.

The safety simulator runs a comprehensive pre-flight check before any enforcement change. It validates that all known authorized senders pass under the proposed policy, that SPF and DKIM alignment rates meet configurable thresholds, that no high-volume senders have degraded authentication in recent reports, and that the proposed DNS change is syntactically valid.

If any safety check fails, the simulator blocks the change and provides specific remediation steps. On Enterprise plans, safety checks can be configured to automatically roll back a change if post-deployment metrics degrade beyond a threshold.

Staged rollout uses DMARC percentage ramping to gradually increase enforcement coverage. SpoofSentry manages the pct= tag automatically, starting at a low percentage (typically 10%) and increasing in configurable increments. At each stage, delivery metrics are monitored and the next increment is gated on continued healthy pass rates.

If degradation is detected at any stage, the rollout pauses and alerts the operator. The operator can hold at the current percentage, roll back to the previous level, or investigate and resume. Full staged rollout with automatic progression is available on Enterprise plans. Manual staged rollout is available on Enforce.