Hunt. Identify.
Enforce.
SpoofHunter is built for security practitioners and IT teams who need real threat intelligence — not just another pass/fail dashboard.
Real-time analytics that actually make sense.
DMARC aggregate reports contain thousands of rows of XML. SpoofHunter turns them into a clean dashboard you can actually act on — without a DMARC PhD.
Pass rate by day/week/month
Track your authentication health over time. Spot drops before they become problems.
Volume trends
See email volume per domain, per sender, per day. Catch anomalies early.
Source breakdown
Who sent how many emails. Grouped by sending service (Google, Mailchimp, Salesforce, etc.)
Multi-domain overview
See all your domains at a glance — health score, policy, pass rate, last alert.
Pass Rate
97.3%
Total Msgs
24,891
Failing
663
Pass rate — last 30 days
Google Workspace
209.85.x
18,432 msgs
Authorized
Mailchimp
198.2.x
4,211 msgs
Authorized
Salesforce
136.147.x
2,100 msgs
Authorized
Sender Details — 185.220.101.47
🚨 Alert triggered
This IP is a known Tor exit node associated with phishing campaigns. Recommend: classify as unauthorized and advance to p=reject.
Know exactly who's sending from your domain.
Every IP address in your DMARC reports is enriched with network data, geo-location, abuse reputation, and ESP classification. No more guessing.
ASN & Organization lookup
Identify the network owner behind every IP. Know if it's Google, Mailchimp, AWS, or an unknown VPS.
Geo-location & PTR records
See where emails originate. Unexpected country? Red flag.
Abuse reputation checks
Cross-reference with Spamhaus, AbuseIPDB, and Tor exit node lists.
ESP auto-detection
Automatically match IPs to known email service providers.
The guided path to p=reject.
Most IT teams get stuck at p=none forever — afraid to break email. SpoofHunter tells you exactly when it's safe to advance, with the exact DNS record to publish.
p=none
⚡ Current stage
Monitoring mode
No emails are blocked. You're collecting data, identifying all your senders, and building visibility. The safe starting point.
Monitoring mode
p=quarantine
🎯 Next milestone
Quarantine mode
Suspicious emails go to spam. You're enforcing authentication for most traffic. Ready when your pass rate is above 90% and all authorized senders are identified.
Quarantine mode
p=reject
🏆 End goal
Full enforcement
Unauthenticated emails are rejected entirely. Zero spoofing possible. Achieve this when your pass rate is consistently above 95% for 14+ days.
Full enforcement
How SpoofHunter guides you
📊 Pass rate monitoring
We track your daily pass rate. When it stays above 95% for 14 consecutive days, we tell you it's safe to advance.
🔍 Sender verification
Before advancing, confirm all authorized senders are identified and classified. We show you which ones still have unresolved authentication failures.
📋 Exact DNS record
When you're ready to advance, we generate the exact DMARC record to publish — including adkim, aspf, pct, and sp settings.
Know the moment something changes.
Don't check the dashboard every day. Let SpoofHunter tell you when something needs your attention. Configure rules, get notified, take action.
New unauthorized sender
Unknown IP sending from your domain? You'll know within minutes.
Fail rate spike
Pass rate drops suddenly? Could be a misconfiguration or a new service. Alert immediately.
Volume spike
Sudden email volume increase from an IP could indicate abuse. Alert and investigate.
Policy change detected
Someone changed your DMARC DNS record? You'll know.
Notification channels:
New unauthorized sender
2 min agoUnknown IP 185.220.101.47 sent 47 messages from example.com. Tor exit node flagged by Spamhaus.
Fail rate spike detected
1h agoexample.com fail rate jumped to 18% in the last hour. 3× above baseline. Possible misconfiguration.
Policy advancement ready
2h agoexample.com has maintained 97%+ pass rate for 14 days. Ready to advance from quarantine to reject.
# Response
{
"data": {
"domain": "example.com",
"period": "last_30_days",
"total_messages": 24891,
"pass_rate": 97.34,
"policy": "quarantine",
"health_score": 82,
"unauthorized_senders": 1,
"enforcement_ready": true
}
}
Build on top of your DMARC data.
Full REST API with JSON responses, webhook delivery, and Sanctum token authentication. Integrate SpoofHunter data into your SIEM, security dashboard, or internal tools.
Full CRUD API
Manage domains, read reports, access analytics, classify senders — all via API.
Webhook delivery
Receive real-time events (new report, new sender, alert triggered) via webhooks with HMAC signature verification.
Granular scopes
Create tokens with specific scopes (domains:read, reports:read, analytics:read) for least-privilege access.
OpenAPI docs
Full API documentation with interactive playground. No guessing required.
Beyond DMARC — Domain Risk Protection.
On the Business plan, SpoofHunter connects your DMARC data to X-RAY — EBRAND's enterprise DRP platform, built over 20 years of domain threat intelligence.
Lookalike detection
Monitor domains registered to impersonate your brand. Get alerted when yourcompany-login.com is registered.
Phishing campaign tracking
Match unknown senders to active phishing campaigns in our global threat intelligence database.
Brand abuse monitoring
Track unauthorized use of your brand name, logo, and domain across the internet — not just DMARC reports.
Know exactly who's sending from your domain — and stop the ones who shouldn't be.
Free plan. No credit card required. First report in under 48 hours.
Get Started Free