DMARC Enforcement Automation

Your domain sends from multiple services.
Most of them aren't fully authenticated.

BrightPost identifies every ESP using your domain, shows which ones are missing DKIM or SPF alignment, and automates the DNS changes needed to move from p=none to enforcement — without breaking legitimate mail.

Start Free TrialView Pricing

14-day free trial · No credit card required · Exit guarantee included

The visibility problem

See every sender using your domain — including ones you didn't configure.

Most domains run 2–4 sending services in parallel: Microsoft 365 for internal email, a marketing platform for campaigns, a transactional service for receipts, a support tool for ticket notifications.

DMARC reports surface all of them — but reading raw XML manually doesn't scale. BrightPost parses every report and maps each sending source to a known ESP fingerprint. The result: a per-sender authentication status view that shows exactly which services are authenticated and which are exposed.

Per-sender authentication status
Live DNS health check
Immediate on signup — no wait
Authorized Email Services
3 / 4 authenticated
52
Needs Work
Authentication score
Microsoft 365
SPFDKIMAuthenticated
Mailchimp
SPFDKIMAuthenticated
Salesforce
SPFSPF only — no DKIM
Zendesk
Not authenticated
1

Add DKIM record for Zendesk

Zendesk requires a CNAME record in your DNS to sign outbound mail

The operational reality of p=none

p=none is monitoring mode. It's not protection.

Most IT teams know this. The gap between knowing it and fixing it — without breaking legitimate mail — is what keeps domains stuck at none for months.

Right now

DMARC at p=none

  • Spoofed email from your domain reaches inboxes — reports record it, nothing stops it
  • Every unauthorized sender continues operating without consequence
  • You're notified of spoofing attempts after delivery, not before
  • Visibility only — no enforcement authority

Your domain can be impersonated right now and you will not be notified in time to stop it.

After enforcement

DMARC at p=reject

  • Unauthenticated email from your domain is rejected at the recipient mail server
  • Spoofing attempts fail silently — no delivery to inboxes
  • Legitimate senders protected by SPF/DKIM alignment verified before enforcement
  • Ongoing monitoring catches any new unauthorized senders immediately

No legitimate mail interrupted. Unauthorized senders stopped at the mail server.

BrightPost manages the path between these two states

How it works

One place to track and fix authentication across all your sending services.

BrightPost generates vendor-specific DNS records each service requires, applies them to your DNS provider, and confirms alignment before advancing your DMARC policy — so you don't coordinate it manually across four different admin consoles.

Per-sender authentication status

See SPF and DKIM alignment for each ESP detected on your domain. Know exactly what is authenticated and what is exposed — without parsing raw XML.

Vendor-specific DNS fixes

Each ESP has different authentication requirements. BrightPost generates the exact CNAME, TXT, and SPF entries your DNS needs for each service — no documentation-diving required.

Policy-safe progression

BrightPost recommends advancing your DMARC policy from none → quarantine → reject, and shows you when report data confirms it is safe to do so. You approve each step.

DNS access and safety

Every DNS change is logged and requires your explicit approval.

DNS is production infrastructure. Here is exactly how BrightPost handles it.

Scoped access only

Read and write access to the specific DNS zone you connect. BrightPost does not require access to other zones, your registrar account, or billing. Cloudflare and Route 53 integrations use scoped API tokens — not account-level credentials.

Full audit trail

Every DNS change BrightPost makes is recorded with a timestamp and the record affected. Nothing is applied silently.

Explicit approval on every change

BrightPost shows you the exact DNS record it will create or modify before applying anything. No change is made without your explicit action.

Supported DNS providers

BrightPost integrates with Cloudflare and Amazon Route 53 for automated DNS writing. If your DNS is managed elsewhere, BrightPost generates the exact records and you apply them manually.

What this looks like in practice

Real configurations. Specific outcomes.

These examples are based on actual multi-sender domain configurations. Domain names have been removed.

Example: E-commerce company, 3 sending services

Starting state

Microsoft 365 · Mailchimp · Zendesk — DMARC p=none

  • Zendesk sending with no DKIM record configured
  • Mailchimp SPF present but not properly aligned
  • Microsoft 365 fully authenticated, others exposed
  • Spoofing attempts on Zendesk traffic undetectable

After BrightPost

All 3 services authenticated — DMARC p=reject

  • Zendesk DKIM CNAME generated, applied to Cloudflare, confirmed
  • Mailchimp SPF corrected with proper include statement
  • Policy advanced to quarantine at day 14, to reject at day 30 — each step reviewed and approved
  • No interruption to any legitimate mail throughout

What “fixing this” actually looks like

Most domains reach full enforcement in 30–45 days. Here is the typical path:

1

Add domain — see your full authentication status in under 60 seconds

BrightPost reads your live SPF, DKIM, and DMARC records immediately. No waiting for reports. Within a minute you see which senders are authenticated and which are exposed.

2

Review per-sender status

For each unauthenticated sender, BrightPost shows the specific DNS records required and which DNS provider needs to receive them.

3

Apply fixes — automated or manual

Connect your DNS provider (Cloudflare or Route 53) and BrightPost applies the records directly. Or export them and apply yourself — your choice.

4

Confirm alignment

BrightPost monitors DMARC reports as they arrive and confirms each sender is aligning correctly. You see pass/fail rates per sender, not just aggregate numbers.

5

Advance policy when ready

Once all detected senders are authenticated, BrightPost recommends advancing from none → quarantine. After 14+ days of clean report data, → reject. You approve each step.

Supported sending services

BrightPost automatically identifies and generates authentication records for these platforms:

Google WorkspaceMicrosoft 365MailchimpMailgunSendGridAmazon SESShopifySquarespaceBrevoPostmarkSparkPostKlaviyoHubSpotSalesforce Marketing CloudZendeskFreshdeskIntercomConvertKitActiveCampaignConstant ContactZoho MailFastmailProton Mail

Supported DNS providers

For automated one-click record management:

CloudflareAutomated
Amazon Route 53Automated
All other providersManual export

Pricing

Simple, transparent pricing

14-day free trial on all plans. No credit card required.

Essentials

Perfect for small businesses

$29/mo
  • Up to 5 domains
  • DMARC monitoring & reporting
  • SPF & DKIM management
  • Real-time DNS lookups
  • DNS provider integrations
  • Email support
Start Free Trial
Most Popular

Business

For growing companies

$129/mo
  • Up to 25 domains
  • Everything in Essentials
  • Team collaboration (5 seats)
  • 180-day data retention
  • Priority email support
Start Free Trial

Enterprise

For large organizations

$699/mo
  • Unlimited domains
  • Everything in Business
  • API access
  • SSO/SAML integration
  • Unlimited team seats
  • 1-year data retention
Start Free Trial

Exit guarantee: if you don't continue after 30 days, we'll export your recommended DNS records. No lock-in.

Move from p=none to enforcement — without guessing.

Start a free 14-day trial. Connect your domain, see your full authentication status in under 60 seconds, and get the exact DNS records you need to fix it.

Start Free Trial — No Credit Card Required

Exit guarantee: if you don't continue after 30 days, we'll export your recommended DNS records so you can implement them manually. No lock-in.