Outlook rejects unauthenticated mail since May 2025 · Gmail rejects since Nov 2025 · Yahoo enforcing since 2024

Your emails are being judged.
Find out the verdict in 10 seconds.

Free DMARC, SPF & DKIM check in 10 seconds. Then we walk you to full p=reject protection — and stand guard forever: alerts on every new sender, failure or spoofing attempt. Any DNS provider. Plain English, no admin-speak.

No signup. No email required. Checks run live against your DNS.

Why this matters right now

The three biggest mailbox providers on Earth now demand SPF, DKIM and DMARC from anyone sending volume — and they no longer just filter violators to spam. Microsoft rejects outright with error 550 5.7.515 (since May 2025); Gmail began rejecting non-compliant senders in November 2025.

3 / 3

Providers enforcing

Gmail & Yahoo (2024, Gmail rejecting since Nov 2025), Microsoft Outlook (May 2025). This is the new plumbing of email, not a trend.

50%+

Stuck at p=none

More than half of domains with DMARC never reach enforcement (2026 adoption data). A record without a policy protects nothing.

10

SPF lookup limit

Run email through 4–5 services and you'll silently break it. We count your lookups on every check.

How DMARCKeeper works

1 · Check

Run the free check. See your protection grade (A–F), SPF lookup count, and every issue — each one explained like you're a business owner, not a sysadmin.

2 · Connect reports

Add one DNS record (we give you the exact line to paste). Mailbox providers start sending us daily reports about who's sending email as you.

3 · Get to p=reject

We identify every legitimate sender, hand you copy-paste fixes for each, and move your policy up step by step. Then we stand guard — forever.

No CNAME delegation — your DNS stays yours. Some DMARC platforms ask you to point a CNAME at their infrastructure to "manage" your records. We never do — you paste one TXT record, on your own DNS, under your own control.
RFC 9990-ready. DMARC's aggregate-report format was re-specified in May 2026 as RFC 9990 (part of DMARCbis). Our parser already reads both it and the original RFC 7489 format, so nothing breaks as providers migrate.

Pricing

Dedicated DMARC platforms start at $25–36/month. Cloudflare's free tool only works if your DNS lives on Cloudflare — and stops at recommendations: no alerts, no digests, no guided path to enforcement. We do the part that matters.

Free

$0
  • Unlimited domain checks
  • DMARC XML report analyzer
  • Weekly email digest, 1 domain
Start free
Early access — free for now

Monitor

$9/mo
  • Continuous report monitoring
  • Every sender identified & classified
  • Plain-English explanations
  • Instant alerts on failures & spoofing
Start free — connect your domain
Early access — free for now

Guard

$19/mo
  • Enforcement wizard: none → quarantine → reject, with safety checks at every step
  • Priority alerts + policy regression watch
  • Copy-paste DNS fixes per service
  • Up to 5 domains
Start free — connect your domain

All features are free during early access. The first 50 connected domains keep Monitor free for 1 year — no card, no waitlist, just add the DNS record.

Questions

I already have a DMARC record. Am I done?

Probably not. If your policy says p=none — like more than half of all DMARC records in 2026 — you have monitoring with zero protection. Anyone can still spoof your domain. The value is in reaching p=reject safely.

Won't a strict policy break my newsletters and invoices?

That's exactly why we exist. We watch your reports first, identify every legitimate service sending as you (your CRM, your invoicing tool, your newsletter app), help you authenticate each one, and only then tighten the policy. Nothing legitimate breaks.

Why not just use Cloudflare's free DMARC tool?

If your DNS is on Cloudflare, it's a decent report viewer with record recommendations. But it only works for domains on Cloudflare DNS, keeps about 30 days of history, sends no alerts or digests when something breaks or someone starts spoofing you, and leaves the move from p=none to p=reject entirely to you, "at your own pace". DMARCKeeper works with any DNS provider, watches your reports continuously, alerts you the day something changes, and moves your policy up step by step without breaking legitimate mail.

I send fewer than 5,000 emails a day. Does this apply to me?

Enforcement thresholds target bulk senders, but two things make this everyone's problem: rejections and spam-folder placement hit smaller senders too, and Microsoft's threshold is sticky — cross 5,000/day even once (one big promo, one product launch) and the requirements apply to your domain permanently. Spoofing doesn't care about your volume at all.

What do I need to get started?

Just your domain name for the free check. To connect monitoring: access to your DNS (wherever you bought your domain) and 5 minutes. We give you the exact records to paste.