Our engineers configure SPF, DKIM and DMARC on your domain and monitor the daily reports — the same setup big-brand legal and finance teams pay thousands for. Flat fee, no setup charge.
Every email server on the internet checks these three DNS records before deciding whether to trust mail claiming to come from your domain. We set up all three correctly and watch them every day.
We publish the exact list of servers allowed to send as your domain — so spoofers using your name get rejected before they hit an inbox.
We generate and rotate cryptographic keys that sign every outgoing email, proving to receiving servers it really came from you and wasn’t altered.
We set policy to reject impersonators, monitor the daily reports from Google, Microsoft and Yahoo, and alert you the moment something looks off.
A missing DMARC reject policy or a stale SPF record isn’t a paperwork problem. It’s the open door attackers walk through. Three patterns we see in UK businesses every month, plus one public incident on the record.
An attacker spoofed the managing partner’s address and emailed the finance lead asking to redirect a client’s settlement. Without a DMARC reject policy, the spoofed mail landed straight in the inbox with no warning. The transfer cleared before anyone noticed.
p=reject — included in our £15/mo service.They added a new email tool but never updated SPF. Half their order confirmations and password resets started landing in spam or bouncing. Customers churned, support tickets piled up, and the cause wasn’t found for nearly a month.
Phishers cloned the CEO’s domain because there was no DKIM signature to verify against. Staff received a series of urgent “invoice attached” emails leading to credential theft, then ransomware on a shared drive. The recovery cost dwarfed the ransom.
p=reject — both covered.An aerospace supplier to Airbus and Boeing lost roughly €42 million to a CEO-impersonation email. The attacker used a domain spoof that proper DMARC enforcement would have caught at the receiving server. The CEO and CFO were dismissed in the aftermath.
If something here doesn’t answer your question, call us on +44 203 355 2711.
No. We start in monitoring mode (DMARC p=none) so we can see every system sending mail as you — Microsoft 365, Mailchimp, your CRM, your accountant’s tool — before we tighten the policy. Only when reports are clean do we move to reject. Zero risk to legitimate mail.
Email or call us. We update SPF and add the new sender’s DKIM key. Included in the monthly fee — no extra charge for "we just signed up to HubSpot."
We don’t bill per-domain or per-mailbox. One flat monthly fee per domain. Most enterprise tools (Valimail, Dmarcian, Red Sift) start at £100+/mo because they bundle dashboards you don’t need. We do the work, you get the protection.
No. We only touch DNS records — the public records that say "this is who’s allowed to send as me." Your mail server, mailboxes and contents stay completely private to you.
Yes, anytime. Email or call. We hand you back the records (you keep DKIM keys), no clawback, no exit fee.
Once we have DNS access (or you publish records we send), live monitoring follows shortly after. The full DMARC reject policy follows after a 1–2 week observation window so we don’t accidentally block your own systems.
Lock your domain for less than the price of one team coffee round.
Start protecting my domain — £15/month → Or run a free 30-second domain scan first →