⚙️ Product Features

Hunt. Identify.
Enforce.

SpoofHunter is built for security practitioners and IT teams who need real threat intelligence — not just another pass/fail dashboard.

📊 Analytics & Visibility

Real-time analytics that actually make sense.

DMARC aggregate reports contain thousands of rows of XML. SpoofHunter turns them into a clean dashboard you can actually act on — without a DMARC PhD.

Pass rate by day/week/month

Track your authentication health over time. Spot drops before they become problems.

Volume trends

See email volume per domain, per sender, per day. Catch anomalies early.

Source breakdown

Who sent how many emails. Grouped by sending service (Google, Mailchimp, Salesforce, etc.)

Multi-domain overview

See all your domains at a glance — health score, policy, pass rate, last alert.

Domain Analytics — example.com

Pass Rate

97.3%

Total Msgs

24,891

Failing

663

Pass rate — last 30 days

Google Workspace

209.85.x

18,432 msgs

Authorized

Mailchimp

198.2.x

4,211 msgs

Authorized

Salesforce

136.147.x

2,100 msgs

Authorized

Sender Details — 185.220.101.47

IP Address 185.220.101.47
PTR Record tor-exit.example.onion.city
ASN AS60729 — Tor Project
Country 🇩🇪 Germany
Abuse Flagged YES — Spamhaus, AbuseIPDB
Known Tor Exit Yes
Messages Sent 47 messages last 7 days
Classification ⚠ Unauthorized / Suspicious

🚨 Alert triggered

This IP is a known Tor exit node associated with phishing campaigns. Recommend: classify as unauthorized and advance to p=reject.

🔍 Sender Intelligence

Know exactly who's sending from your domain.

Every IP address in your DMARC reports is enriched with network data, geo-location, abuse reputation, and ESP classification. No more guessing.

ASN & Organization lookup

Identify the network owner behind every IP. Know if it's Google, Mailchimp, AWS, or an unknown VPS.

Geo-location & PTR records

See where emails originate. Unexpected country? Red flag.

Abuse reputation checks

Cross-reference with Spamhaus, AbuseIPDB, and Tor exit node lists.

ESP auto-detection

Automatically match IPs to known email service providers.

🛡️ Guided Enforcement

The guided path to p=reject.

Most IT teams get stuck at p=none forever — afraid to break email. SpoofHunter tells you exactly when it's safe to advance, with the exact DNS record to publish.

p=none ⚡ Current stage

Monitoring mode

No emails are blocked. You're collecting data, identifying all your senders, and building visibility. The safe starting point.

Monitoring mode

p=quarantine 🎯 Next milestone

Quarantine mode

Suspicious emails go to spam. You're enforcing authentication for most traffic. Ready when your pass rate is above 90% and all authorized senders are identified.

Quarantine mode

p=reject 🏆 End goal

Full enforcement

Unauthenticated emails are rejected entirely. Zero spoofing possible. Achieve this when your pass rate is consistently above 95% for 14+ days.

Full enforcement

How SpoofHunter guides you

📊 Pass rate monitoring

We track your daily pass rate. When it stays above 95% for 14 consecutive days, we tell you it's safe to advance.

🔍 Sender verification

Before advancing, confirm all authorized senders are identified and classified. We show you which ones still have unresolved authentication failures.

📋 Exact DNS record

When you're ready to advance, we generate the exact DMARC record to publish — including adkim, aspf, pct, and sp settings.

🚨 Smart Alerts

Know the moment something changes.

Don't check the dashboard every day. Let SpoofHunter tell you when something needs your attention. Configure rules, get notified, take action.

New unauthorized sender

Unknown IP sending from your domain? You'll know within minutes.

Fail rate spike

Pass rate drops suddenly? Could be a misconfiguration or a new service. Alert immediately.

Volume spike

Sudden email volume increase from an IP could indicate abuse. Alert and investigate.

Policy change detected

Someone changed your DMARC DNS record? You'll know.

Notification channels:

Email Webhooks Slack (soon) Teams (soon)
🚨

New unauthorized sender

2 min ago

Unknown IP 185.220.101.47 sent 47 messages from example.com. Tor exit node flagged by Spamhaus.

⚠️

Fail rate spike detected

1h ago

example.com fail rate jumped to 18% in the last hour. 3× above baseline. Possible misconfiguration.

Policy advancement ready

2h ago

example.com has maintained 97%+ pass rate for 14 days. Ready to advance from quarantine to reject.

GET /api/v1/domains/{id}/analytics/summary

# Response

{

"data": {

"domain": "example.com",

"period": "last_30_days",

"total_messages": 24891,

"pass_rate": 97.34,

"policy": "quarantine",

"health_score": 82,

"unauthorized_senders": 1,

"enforcement_ready": true

}

}

🔗 REST API

Build on top of your DMARC data.

Full REST API with JSON responses, webhook delivery, and Sanctum token authentication. Integrate SpoofHunter data into your SIEM, security dashboard, or internal tools.

Full CRUD API

Manage domains, read reports, access analytics, classify senders — all via API.

Webhook delivery

Receive real-time events (new report, new sender, alert triggered) via webhooks with HMAC signature verification.

Granular scopes

Create tokens with specific scopes (domains:read, reports:read, analytics:read) for least-privilege access.

OpenAPI docs

Full API documentation with interactive playground. No guessing required.

View API documentation →
🌐 360° Domain Intelligence

See everything. Miss nothing.

Time and geography together. The daily histogram shows your pass/fail trend at a glance. The world map shows every IP sending from your domain, colored by pass rate. Together they answer the question no DMARC dashboard has answered before: who sends email claiming to be you, from where, and is it clean?

Daily pass/fail histogram

Stacked bar chart of authenticated vs failing volume. Switch between 7, 30, and 90-day windows. Fail spikes are immediately visible — including the day a phishing campaign started.

World map of sending sources

Every IP that sends email from your domain, plotted on a world map. Pin color reflects pass rate: green for authorized, amber for mixed, red for failing. Click any pin to drill into that source.

Geographic anomaly detection

See unauthorized senders by country before you get a breach report. A German Tor exit node and your US Mailchimp account look very different on a map.

Policy enforcement timeline

Track your journey from p=none to p=reject over time. The histogram makes policy changes visible — you can see exactly when enforcement started working.

Daily send volume

7d 30d 90d
Pass
Fail

Global sending sources

Pass
Mixed
Fail

Placeholder — pins use your actual sending IPs

🛡️ Business plan · DRP Intelligence

Beyond DMARC — Domain Risk Protection.

On the Business plan, SpoofHunter connects your DMARC data to X-RAY — EBRAND's enterprise DRP platform, built over 20 years of domain threat intelligence.

🎯

Lookalike detection

Monitor domains registered to impersonate your brand. Get alerted when yourcompany-login.com is registered.

🌐

Phishing campaign tracking

Match unknown senders to active phishing campaigns in our global threat intelligence database.

📡

Brand abuse monitoring

Track unauthorized use of your brand name, logo, and domain across the internet — not just DMARC reports.

See Business plan

Know exactly who's sending from your domain — and stop the ones who shouldn't be.

Free plan. No credit card required. First report in under 48 hours.

Request Early Access