Why this matters

Email is the #1 attack vector for almost every company. The most damaging variant is when an attacker sends mail "from" your CEO's real address — to your finance team, to your customers, to your bank. Without DMARC properly configured, this works. With DMARC at "reject" and continuous monitoring, it fails. The hard part is not deploying DMARC (one DNS record); the hard part is reading the reports and knowing when to act. We use AI to handle the analysis — so you get monthly clarity instead of a 400-row CSV no one will ever read.

Who buys this

  • Companies whose CEO or CFO has been impersonated in email-based fraud
  • Companies that send transactional email (invoices, contracts) where deliverability matters
  • Regulated industries with specific email-authentication mandates
  • Companies whose marketing team needs BIMI eligibility (logo in inbox)

What is included

In every 360DMARC subscription.

  • DMARC / SPF / DKIM deployment and progressive enforcement (monitor → quarantine → reject)
  • Continuous DMARCDIGESTS report ingestion for your domain
  • AISA AI analysis on every aggregate + forensic report — decides "no action / configure / investigate / escalate"
  • Monthly executive summary in plain English (spoofing attempts, legit senders surfaced, fixes applied)
  • Sender ecosystem mapping (every legit service sending "from" your domain — Stripe, Mailchimp, Workspace, etc.)
  • BIMI readiness review + logo trust-mark guidance
  • Brand-impersonation alert routing (high-volume spoof campaigns trigger immediate notification)

How we deliver

The operating shape, end to end.

01

Progressive enforcement

We deploy DMARC in monitor mode, identify every legitimate sender, fix misconfigurations, then advance through quarantine to reject — without bouncing legitimate mail.

02

AI-driven report analysis

Every aggregate + forensic report goes through DMARCDIGESTS for parsing, then AISA (built on Claude) reads it and decides: "no action / configure / investigate / escalate." You get a clean monthly summary instead of raw data.

03

Sender ecosystem mapping

We catalog every legitimate service sending "from" your domain — Stripe, Mailchimp, Workspace, your CRM, your booking tool — and keep that list current.

04

Brand-impersonation alerting

When an attacker runs a high-volume spoof campaign against your domain, we alert you immediately — with the campaign details and the action being taken.

Education

What you should actually understand before buying.

We sell a lot of these. The buyers who are happiest two years in are the ones who understood the why before they signed. So here is the why.

DMARC, SPF, DKIM — what they actually are

SPF says which servers are allowed to send "from" your domain. DKIM cryptographically signs your outgoing mail. DMARC tells receiving mail servers what to do when SPF or DKIM fails ("monitor only / send to spam / reject") and asks them to send you reports about every authentication attempt. Together, they make it impossible for an attacker to send mail "from" your domain that passes authentication — once correctly configured at reject.

Why "monitor mode" is a trap

Most companies stop at p=none ("monitor only"). It generates the reports but does not block any spoofing. If an attacker spoofs your CEO, the mail still arrives. The only protective configurations are p=quarantine (sends spoofed mail to spam) and p=reject (refuses spoofed mail entirely). Most companies stay in monitor for years because they are afraid of bouncing legitimate mail. We get you to reject in 60–90 days through methodical sender mapping.

Why AI-driven report analysis is a step change

A typical mid-sized company generates dozens to hundreds of DMARC reports per week — XML files with dozens of authentication results each. Reading these manually is impossible. Reading them via dashboards is partial — dashboards show you what queries you thought to run. AISA reads every report fully, correlates patterns over weeks, and writes a plain-English summary: "Two new senders appeared this month — Calendly is legit, the Russia-based IP claiming to be your domain is not. Configure Calendly. Block the Russian IP." Real decision support, not raw data.

BIMI and the logo-in-inbox payoff

Once your domain is at p=reject + you have a verified mark certificate, Gmail and Yahoo will display your brand logo next to inbound mail from your domain. This is high-trust signaling for customers. Eligibility requires DMARC reject — which is exactly where this service gets you. We handle the BIMI readiness review as part of the monthly engagement.

Common questions

Questions buyers actually ask us.

Will deploying DMARC bounce my legitimate email?
Not if it is done methodically. We deploy in monitor mode first, map every legitimate sender, fix the misconfigurations, then advance to enforcement. Companies that try to do this themselves often skip this step and bounce mail.
Per domain — what counts as a domain?
A domain you send email from, e.g. yourcompany.com. Subdomains (mail.yourcompany.com, accounts.yourcompany.com) are typically covered under the parent — unless you send transactional mail from a subdomain you want to authenticate independently.
What does AISA actually do here?
Three things: parses every report (millions of records per quarter for a typical company), classifies each authentication attempt (legit / misconfigured / spoof), and writes the monthly summary in plain English. The work that previously required a part-time analyst, done in seconds.
How long until reject?
Typically 60–90 days. Most of that time is calendar — you need to wait for senders to actually try sending to gather the data. Fast-mode (30-day) deployments are possible but require more aggressive sender outreach.

Ready to add 360DMARC to your stack?

Three minutes in the build flow turns this into a real plan with a real price you can act on. Or talk to a human first — discovery call, no commitment.