This is not email setup. This is fraud prevention.
Impersonation, fake invoices, and silent inbox losses start with weak SPF/DKIM/DMARC enforcement — not missing records.
- Impersonation risk is measurable.
- Deliverability loss looks like revenue decay.
- DNS drift breaks enforcement quietly.
We read public DNS only. No mailbox access. No email content collected.
Typical SMB
- DMARC: p=none (monitoring-only)
- Alignment: relaxed or unknown
- DKIM: missing / unverified
- SPF: bloated includes
- Reporting: none
Enforced
- DMARC: p=reject + pct=100
- Strict alignment (adkim=s, aspf=s)
- DKIM verified and stable
- SPF within lookup limits
- Aggregate reporting enabled
What attackers do now (and why it works)
Most attacks don't look like hacking. They look like normal business email.
Fake invoice / bank detail change
- Trigger
- AP gets an email that looks like a supplier update.
- Outcome
- Money moves. Recovery is slow or impossible.
- Why it works
- DMARC is monitoring-only, alignment is weak, and spoofed mail still lands.
CEO / payroll impersonation
- Trigger
- A 'CEO' requests urgent payments or payroll changes.
- Outcome
- Fraud, salary misroutes, compliance exposure.
- Why it works
- Weak enforcement lets attackers send 'as you' — and people comply.
Account takeover via password resets
- Trigger
- Password reset emails are intercepted or spoofed.
- Outcome
- Systems get breached through normal email flows.
- Why it works
- Deliverability and enforcement gaps create openings in identity flows.
Silent spam-folder revenue decay
- Trigger
- Providers downgrade trust after a small DNS change.
- Outcome
- Leads go cold. Renewals fail. Nobody notices for weeks.
- Why it works
- DNS drift breaks alignment and reporting without obvious errors.
Presence checks ≠ enforcement
- Record exists = "good"
- DMARC p=none scored as safe
- Relaxed alignment not penalized
- Reporting visibility ignored
- Policy strength + alignment + reporting
- Detect drift, not just records
- Focus on outcomes: spoofing + inbox placement
- 90+ benchmark posture
Configured is not protected.
How the Enforcement Score is computed
What a score of 75 really indicates
75 is not failure. It indicates enforcement gaps — partial alignment, incomplete reporting visibility, monitoring-only DMARC, or DKIM uncertainty. Your domain functions, but it's not enforcement-grade.
Typical reasons:
- pct < 100
- Relaxed alignment
- No aggregate reporting (no rua)
- DKIM selector uncertainty
- Structural SPF complexity
Operational does not mean enforced.
Enforcement deep dive
DNS drift is how enforcement dies quietly
Small changes break alignment. Monitoring catches it before revenue drops.
Day 0
Everything looks fine.
Day 12
A tool overwrites SPF includes.
Day 21
DMARC policy downgraded to p=none.
Day 30
Inbox placement drops. Leads go cold.
That's why monitoring exists — to keep enforcement stable.
Activate monitoring ($29/mo)Who gets hit first
Ecommerce & retail SMB
- Breaks first:
- fake invoices + order email deliverability
- Enforce:
- DMARC reject + stable SPF/DKIM
B2B services
- Breaks first:
- lead gen goes to spam + impersonation
- Enforce:
- alignment + reporting + drift monitoring
Agencies managing client domains
- Breaks first:
- tool overwrites + selector mismatch
- Enforce:
- provider-consistent DKIM + baseline
SaaS & recurring revenue
- Breaks first:
- password resets + onboarding emails
- Enforce:
- deliverability stability + monitoring
What we align with
- Major mailbox providers increasingly require DMARC alignment and stronger authentication.
- SPF/DKIM/DMARC standards define what 'authentication' actually means.
- Monitoring is required because DNS changes and tools overwrite records.
- Deliverability is an operational risk, not a marketing detail.
If you're under 90, you're operating with enforcement gaps.
Scan now. See what's missing. Fix it once. Then monitor drift.