Whether you're protecting a single domain or managing hundreds for clients, you need reliable visibility into who is sending email on your behalf — and whether it's passing authentication.
DMARC itself is free — it's a DNS record and an open standard. The aggregate reports are free — receiving mail servers send them automatically. What costs money is making sense of those reports at scale, consistently, over time.
The question isn't whether you can afford DMARC monitoring. It's whether you can afford to enforce a policy without it.
Moving from p=none to p=reject without monitoring is how legitimate mail gets blocked. You need to understand every sending source before you tighten policy — and you need to keep watching after you do.
DMARC itself is free — it's a DNS record and an open standard. The aggregate reports are free — receiving mail servers send them automatically. What costs money is making sense of those reports at scale, consistently, over time. That's where a monitoring service earns its keep.
p=none
p=quarantine
p=reject
Each step requires monitoring to make safely. OnlyDMARC alerts you to unknown senders before they get blocked.
One line of DNS, zero risk to existing delivery:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.comThat rua= address is where your aggregate reports go. Without monitoring, those reports are just XML sitting on a server nobody reads.
Across payment processing, financial services, and public sector, DMARC has moved from best-practice guidance to mandatory requirement. Here's the landscape.
Applies to: retail & e-commerce, hospitality, healthcare, professional services, SaaS platforms, nonprofits — any organisation accepting card payments.
DMARC is increasingly viewed as a baseline indicator of cyber maturity in regulated sectors. Not optional if you operate in or serve the European financial ecosystem.
p=reject across all federal civilian agencies.Suppliers and contractors to government bodies face the same expectations from procurement teams and auditors.
p=none or stronger. Once classified as a bulk sender, that classification is permanent. Must also support one-click unsubscribe and keep spam complaint rates below 0.3%.Threshold: 5,000 emails per day to personal accounts. Note: 5,000 is per day — not per month. A product launch or seasonal campaign can push you over on any single day.
550; 5.7.515. Consumer mailboxes only — Microsoft 365 business addresses are not in scope.Same 5,000-per-day threshold as Google and Yahoo. If you're already compliant for Gmail, you're likely already covered for Microsoft too.
If you send to iCloud addresses, now is the time to get compliant before a formal deadline is announced.
This is the inbox-provider reality. Google, Yahoo, and Microsoft will permanently reject or spam-folder your messages at the SMTP level if your domain doesn't meet their authentication standards. Non-compliant bulk email is rejected outright — not a theoretical risk, not a maybe.
This is the PCI DSS and government mandate scenario. An auditor checks for DMARC as part of their assessment. Its absence is a formal finding, potentially with financial penalties ($5,000–$100,000 under PCI DSS) or the loss of your ability to process card payments.
Cyber insurers, enterprise procurement teams, and industry regulators increasingly treat DMARC as a baseline expectation. Not having it creates friction in security assessments and raises questions about your overall security posture — even when no formal mandate applies.
In all three cases, the answer is the same: publish a DMARC record, set up monitoring, and work toward enforcement.
Without a DMARC policy at quarantine or reject, anyone can spoof your domain in the visible From address — the name your recipients actually see. This is the vector used in business email compromise (BEC) and targeted phishing attacks.
p=reject without monitoring means legitimate sources you've forgotten about will silently stop delivering. Monitoring makes the journey safe.Multiple domains, complex sending infrastructure, compliance requirements, and SOC teams that need DMARC data in their existing tooling — not another dashboard to watch.
Manage DMARC monitoring across all your clients from a single platform. Per-domain configuration, alerting, and reporting. White-label friendly API.
REST API, MCP server, webhooks, and JSON export. Pipe DMARC data directly into your infrastructure. No SaaS lock-in, no forced workflow changes.
Affordable, simple monitoring for a single domain. Get the compliance and security benefits of DMARC without needing a dedicated security team to manage it.
DORA, PCI DSS v4.0, and FCA expectations make DMARC monitoring a compliance necessity, not an optional security extra. We help you evidence it.
UK government and public sector bodies have been required to enforce DMARC since 2016. Suppliers and contractors increasingly face the same expectations.
High email volumes across multiple subdomains and third-party senders make DMARC monitoring essential. Many students and alumni use personal Gmail or Yahoo accounts — exactly the inboxes covered by the bulk sender requirements.
Request early access. No credit card required.