Now in early access

Stop impersonation.
Reach p=reject without breaking a single real email.

ClearDMARC turns thousands of cryptic DMARC reports into a clear path to enforcement — so you can see every sender, fix alignment, and lock out spoofers with confidence.

Free instant check
Querying DNS & DMARC records…
{{ resultDomain }}
⚠ Exposed
SPF record found
DKIM signature detected
DMARC policy is p=none — anyone can spoof this domain
Fix this free →
No credit card · 5-minute DNS setup · No mail-flow changes
acme.io
Enforced · p=reject
97.4%
compliant
312,480
messages / 30 days
4,210
spoof attempts blocked
Sending sources
Google Workspace PASS · aligned
SendGrid PASS · aligned
Unknown · 185.220.101.x REJECTED
Built for the teams most targeted by impersonation Banking & finance Healthcare Government SaaS & tech MSPs E-commerce
The problem

Your domain is a phishing weapon until you say otherwise.

Without an enforced DMARC policy, anyone can send email as you — to your customers, your staff, your suppliers. Most teams know they need DMARC. The hard part is getting to p=reject without accidentally blocking legitimate mail along the way.

DMARC reports are raw XML, sent by hundreds of mailbox providers, in volumes no human can read. So most domains stall at p=none — collecting data they never act on.

3.4B
phishing emails sent every single day
~80%
of domains never reach DMARC enforcement
Without enforcement
Spoofed invoices, fake HR notices, and brand impersonation land straight in the inbox — indistinguishable from the real thing.
Figures from industry phishing & DMARC-adoption research, 2024–25
How it works

From blind spot to enforcement in four steps.

No DMARC expertise required. ClearDMARC guides every move and validates it for you.

01

Connect your domain

Add one DNS record. We start receiving DMARC reports within minutes — zero impact on mail flow.

02

See every sender

We parse the raw reports into a plain-English list of who sends as you — legitimate services and impostors alike.

03

Fix alignment

Guided SPF & DKIM fixes for each source — with copy-paste DNS records and instant validation.

04

Reach enforcement

Move from p=none → quarantine → reject with a safety checklist at every stage. Spoofing blocked, deliverability protected.

Domain Score

Your whole email posture, in one number.

ClearDMARC grades every domain from 0–100 across four weighted factors — so you know exactly where you stand and what to fix next to reach an A.

{{ scoreValue }}
out of 100
{{ gradeLabel }}

{{ scoreDomain }}

{{ statusLabel }}

{{ scoreNote }}

{{ b.label }} {{ b.score }}
One score, every domain

Roll up your whole portfolio — primary domains, subdomains, parked names — and spot the weakest link instantly.

A clear path to an A

Each factor shows exactly how many points are on the table and what action recovers them.

Tracked over time

Watch the score climb as you fix alignment and advance enforcement — proof of progress for every stakeholder.

The platform

Everything you need to own your email identity.

Aggregate report parsing

Thousands of RUA XML reports collapsed into one readable timeline of pass, fail, and forensic detail.

Sender intelligence

Every IP and service auto-classified — known ESP, your infrastructure, or an unauthorized impostor.

Guided enforcement

A safe, staged path to p=reject with a readiness score and a checklist before every policy change.

SPF & DKIM management

Flatten SPF under the 10-lookup limit, and surface every DKIM selector’s key age and signing volume.

Real-time threat alerts

Get notified the moment a new unauthorized source starts sending as your domain — by email or Slack.

BIMI & brand logo

Coming soon

Once you hit enforcement, publish your verified logo so it appears beside every email you send.

One clear view

The whole story of your email, on one screen.

Compliance, volume, threats, and every sending source — continuously updated as new reports arrive. These are real screens from the ClearDMARC console.

app.cleardmarc.com/{{ shotRoute }}
ClearDMARC overview dashboard ClearDMARC aggregate reports ClearDMARC managed services
{{ shotCaption }}
The journey

A guided path, not a guessing game.

Stage 1
p=none
Monitor only. Collect data, map every sender — no mail is ever affected.
Stage 2
p=quarantine
Suspicious mail diverts to spam. Ramp coverage from 0% to 100% safely.
Stage 3
p=reject
Full enforcement. Spoofed mail is refused outright. You own your domain.
Designed to take you from monitoring to p=reject in weeks — not years.
The ClearAuth suite

Three managed services. One clean email identity.

Email authentication has three layers. ClearAuth runs each one as a managed service — use them alone, or together for end-to-end protection.

AuthorizeSignEnforce
ClearSPF
Sender authorization

Managed SPF that never breaks. Confirms every server is authorized — and stays valid as your senders change.

Source intelligence — volume per SPF source
Auto-flattening under the 10-lookup limit
One hosted record, updated for you
Explore ClearSPF →
ClearDKIM
Cryptographic signing

Hosted DKIM via one NS delegation — with source intelligence that surfaces every selector’s key age and volume.

Source intelligence — key age & volume per selector
One NS record covers every provider
Spot stale & unknown selectors at a glance
Explore ClearDKIM →
Flagship
ClearDMARC
Policy & reporting

Monitoring & enforcement. Ties SPF and DKIM together, then turns reports into a clear path to p=reject.

Parse every report, see every sender
Guided, staged path to p=reject
Real-time spoof alerts + BIMI
Explore ClearDMARC →
Run the full suite and ClearDMARC manages your SPF and DKIM records automatically — nothing to maintain by hand.
ClearSPF

One SPF record that never breaks the 10-lookup limit.

SPF silently fails once you exceed ten DNS lookups — and every new ESP pushes you closer. ClearSPF flattens all your authorized senders into a single hosted record and keeps it valid as your stack changes. You delegate once and never touch SPF by hand again.

SPF source intelligence
See the message volume behind every authorized source — drop unused includes and catch unexpected senders before they cost you a lookup.
Automatic flattening
Includes are resolved and compressed server-side — always under the 10-lookup cap, no PermError.
Self-healing
When a provider changes its sending IPs, your hosted record updates automatically — no edits, no breakage.
Zero mail-flow risk
No mail is affected until the delegation is verified. Roll back any time.
One-time setup · 3 steps
1 Activate ClearSPF in the console
2 Add one CNAME record at your DNS provider
TypeCNAME
Host_spf.acme.io
Points toacme-io.spf.cleardmarc.com
We verify it and host the record from there
Delegate once · one NS record
1 Activate ClearDKIM in the console
2 Delegate the _domainkey subdomain (one NS record)
TypeNS
Host_domainkey.acme.io
NSns.dkim.cleardmarc.com
Every selector is hosted, with its key age & volume surfaced
ClearDKIM

DKIM that shows you every selector — across every provider.

Weak, stale, or unknown DKIM selectors quietly break authentication and tank deliverability. ClearDKIM hosts every selector through one NS delegation and surfaces each one’s key age and signing volume — so you always know what’s signing your mail.

Selector source intelligence
See the key age and message volume behind every selector — spot stale or rogue keys instantly.
One NS delegation
Hand over the _domainkey subdomain once; ClearDKIM hosts selectors for Google, Microsoft 365, SendGrid and more.
Continuously monitored
We alert you the moment a signature starts failing — long before it hurts your inbox placement.
100%
of RUA report formats parsed
<10
SPF lookups — always under the limit
2048-bit
DKIM keys, hosted & rotated
5 min
DNS setup, zero mail-flow change
From early access

What early teams are telling us.

Feedback from design partners in our early-access program, shared anonymously.

"We'd stalled at p=none for ages. ClearDMARC finally showed us every sender — and a path to reject we actually trust."
B
Head of IT Security
Regional bank · early access
"The sender list alone paid for itself. We found three shadow-IT services nobody knew were emailing our customers."
H
Security lead
Healthcare provider · early access
"We manage client domains across many tenants — the multi-tenant view is the only way we could do DMARC at this scale."
M
Founder
Managed-services provider · early access
Pricing

Start free. Scale when you're ready.

Starter
$0forever
For a single domain getting started.
Start free
1 domain
Aggregate report parsing
Sender list & classification
Weekly email digest
Most popular
Growth
{{ growthPrice }}
{{ growthNote }}
Start 14-day trial
Up to 25 domains
Guided enforcement to p=reject
Real-time threat alerts
SPF & DKIM management tools
Slack & email integrations
Enterprise
Custom
For MSPs & large domain portfolios.
Talk to sales
Unlimited domains
MSP multi-tenant console
SSO/SAML & audit logs
Dedicated CSM & SLA
API & white-label reports
Works with your stack

Connects to the services already sending your mail.

Google Workspace Microsoft 365 Cloudflare AWS SES SendGrid Mailchimp Salesforce Slack
Security & privacy
SOC 2 Type II · in progress
ISO 27001 · in progress
GDPR-aligned
Encrypted at rest
EU data residency
99.9% uptime target

We only ever process DMARC aggregate metadata — never the contents of your email. Certifications are in progress; the controls behind them are already in place.

FAQ

Questions, answered.

{{ item.a }}

Take back control of your domain today.

See every sender in minutes. Reach enforcement in weeks. Start free — no credit card required.

Start free Book a demo