Methodology

Transparent method, start to finish

We don't have a wall of testimonials yet — we're early. What we have instead is a method you can inspect and results you can reproduce.

1 · The free scan

You give us a domain. We query its public DNS records: SPF, DKIM (common selectors), DMARC, MX, MTA-STS, TLS-RPT, and BIMI. This is the same data any mail server — and any attacker — can already see. We never connect to your mailboxes, servers, or any private system. There is nothing to install and nothing to authorize.

The result is a 0–100 score computed by deterministic, published rules: the same domain state always produces the same score, and every point is traceable to a finding shown on screen. Bands: CRITICAL AT RISK PROTECTED HARDENED

2 · The $249 audit

The audit converts findings into the fix: for every issue the scan identifies, you receive the exact DNS record to publish — copy-paste ready — plus the order to publish them in, so legitimate mail keeps flowing throughout. Delivered immediately as a PDF to your email. Your IT person or vendor can implement it directly; no further purchase required.

3 · Done-for-you enforcement ($1,950)

If you'd rather not touch DNS, we do it: inventory your legitimate sending services, authorize them (SPF/DKIM), verify alignment, move your policy through monitoring to an enforced p=reject (pct=100) — a state verifiable from your public DNS — and monitor real-world alignment through DMARC aggregate reports. Backed by the 90-day money-back guarantee stated in plain sight on our pricing — with its conditions next to it, not in fine print.

4 · Ongoing monitoring ($99/mo)

DNS drifts: vendors change, records get edited, new tools start sending. Monitoring watches your authentication posture and DMARC reports and alerts you when something degrades. Month-to-month, cancel anytime.

What we will never claim

DMARC at enforcement stops spoofing of your exact domain. It does not stop look-alike domains, compromised mailboxes, or every form of fraud — and we make no legal or regulatory compliance determination of any kind. If a vendor promises "100% protection," ask them to put it in writing the way we put our guarantee in writing.

We read only public DNS — the same data any attacker sees. Nothing to install. No signup.

We measure one thing: whether someone can send email as your exact domain. Even giants like Google and Microsoft choose not to block this — for them it's a scale decision; for your business it almost always means real exposure.