Red Sift’s definitive guide to email security

image
Explore our guide
In this chapter
In this chapter

Why choose Red Sift for your email security?

Founded in 2016, the Red Sift Platform was built as a direct response to the challenges many global organizations were facing when trying to fix vulnerabilities in their cyber infrastructure. 

Red Sift OnDMARC, an automated DMARC application, was the first product to launch on the Platform. It enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing. 

What are the benefits of Red Sift OnDMARC? 

Everything within OnDMARC is designed to save you time and simplify your DMARC journey as you fully secure your domain.

Easy configuration

Our powerful automation does all the heavy lifting by continuously analyzing what’s going on across your domain, surfacing alerts for where and how to make necessary changes to your email security. Then simply follow our extensive database with setup instructions for hundreds of well-known email sources.

Full visibility into your sending sources

Within 24 hours of adding your unique DMARC record to your DNS, OnDMARC begins to analyze and display your DMARC reports in clear and comprehensive dashboards. Who is sending on your behalf? Where in the world is your domain being used? Are your emails passing or failing DMARC validation? This gives a complete picture of your email landscape and not just the stuff that crosses your network boundary.

Expedited time to full enforcement

Relying on consultants is a time-consuming process to configure DMARC, leaving you with no ongoing visibility or knowledge of how it works, which may mean calling them again! One of the most commonly reported benefits of OnDMARC is an average time of 6-8 weeks to reach full enforcement—the fastest timeline in the industry as of 2026.

Ongoing monitoring

Once you’ve hit the switch to p=reject, it’s time to celebrate all those blocked impersonation attempts! If any of your defenses break, we’ll alert you of the root cause and provide instructions on how to fix it.

Unparalleled support

Red Sift’s Customer Success team is here to make setting up and maintaining your DMARC protection as simple and hassle-free as possible. We have a team of specialists available to help you with your DMARC project, from implementation to full in-life management so you can choose the level of support that works for you.

Red Sift CSEs are experienced in the most complex DMARC implementations at companies like Capgemini, ZoomInfo, and Wise, amongst others. Red Sift’s Customer Success is highly regarded by its enterprise customers, including Holland and Barrett, ZoomInfo, and TalkTalk.

icon

Explore our full library of customer case studies here.

Best-in-class features

Dynamic Services

Red Sift OnDMARC’s Dynamic Services allows you to control your email records from within the OnDMARC app. In other words, there’s no need to return to your DNS provider to update any email authentication-related records. Instead, this is done by replacing the static DNS records with OnDMARC’s smart records, either via NS delegation for DKIM and DMARC or a new smart TXT record for SPF.

services imageservices image
Dynamic Services in OnDMARC

Dynamic SPF

OnDMARC’s Dynamic SPF feature solves the 10 lookup limit by enabling you to use a single dynamic include to combine all authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation and means your email deliverability will never be impacted. 

spf imagespf image
Dynamic SPF in OnDMARC

Investigate

What makes Red Sift OnDMARC different from all other tools on the market is its Investigate feature. It allows you to test configuration updates in real-time rather than waiting for DMARC data to arrive over 24 hours, drastically reducing the time needed for a DMARC project and speeding up the time needed until full protection is reached. This real-time testing capability has become essential for organizations in 2026 seeking rapid enforcement.

OnDMARC Investigate cardsOnDMARC Investigate cards
Investigate cards in OnDMARC

DNS Guardian

DNS Guardian actively monitors your domains for DNS misconfigurations that could lead to domain takeovers. This includes safeguarding against SubdoMailing, dangling DNS records, and CNAME takeovers.

Unique to the market, Red Sift OnDMARC is the only DMARC application that bridges the gap between DNS and DMARC in this way.

To learn more about the feature and how these types of DNS attacks bypass DMARC protections, read our blog.

dns guardian imagedns guardian image
DNS Guardian in OnDMARC

BIMI with VMC 

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI and Verified Mark Certificate (VMC) solution available on the market. It guides you through the full BIMI application process and even helps you obtain a VMC without having to go directly to the Certificate Authority (CA). Issuing VMCs has historically been a tedious process but Red Sift’s integrated process aims to make it easier.

BIMI implementation with Red Sift includes end-to-end support from its Customer Success team. Another advantage is that a free VMC license is included in OnDMARC’s Enterprise tier so organizations don’t need to secure additional budget for BIMI.

imageimage
BIMI with VMC integration in OnDMARC

Hosted MTA-STS

Hosted MTA-STS is part of OnDMARC’s Dynamic Services interface. After you have added Smart Records to your domain’s DNS, it will host the MTA-STS policy file, maintain the SSL certificate, and flag any policy violations through the TLS report.

imageimage
Hosted MTA-STS in OnDMARC

Forensic reporting

Forensic reporting and machine learning provides granular information on unauthenticated emails while protecting privacy. Red Sift is one of only two DMARC vendors on the market who boast the Yahoo forensics feed that enhances forensic reporting. 

imageimage
Aggregate and forensic reports in OnDMARC

APIs

OnDMARC has a REST API that can be used to integrate with your custom dashboards and other internal systems. All endpoints are documented here with working examples; from managing every aspect of Dynamic Services and your email sources to creating your own charts from reporting data. You can also add and remove domains, configure alerts, or analyze any domain programmatically.

About Red Sift

Today, we have over 1,200+ customers including some of the most recognized brands in the world, such as Capgemini, Domino’s, ZoomInfo, Athletic Greens, Telefonica, and Wise.

The company has strategic partnerships with Cisco, Clouldflare, Google, Microsoft, and IBM.

Red Sift is deeply committed to quality with the following quality and security accreditations:

  • ISO 27001:2022
  • Soc 2 Type II
  • Members of CyberExchange and Global Cyber Alliance
  • Data centers in the UK, EU and USA for data residency requirements

Good luck on your DMARC journey!

We hope that you found this guide a useful way to start building your understanding of DMARC and all its security benefits. We appreciate it’s a lot to take in but remember, if you can find yourself a trusted and proven DMARC provider, you’ll have an expert by your side for your whole DMARC journey, making it easier, faster, and painless.

With DMARC now required by major inbox providers in 2026, the right platform partner makes all the difference in achieving rapid, reliable enforcement.

free trial imagefree trial image
Try a 14-day free trial of our award-winning, automated DMARC application, Red Sift OnDMARC, that’ll help you take back control of your email reputation in just 6-8 weeks

Frequently asked questions: Email security guide

Why is email inherently insecure and how do attackers exploit this vulnerability?

All email security measures (apart from DMARC) are ineffective at spotting a malicious email when it appears to come from a legitimate domain. This is because of a flaw in Simple Mail Transfer Protocol (SMTP). In October 2008, the Network Working Group officially labelled it 'inherently insecure', stating that anyone could impersonate a domain and use it to send fraudulent emails pretending to be the domain owner.

Anyone with a very basic knowledge of coding can learn the steps required to impersonate someone's email identity through a quick Google search. The result is an email that looks legitimate without typical phishing indicators. With 3.4 billion phishing emails sent every day, email systems remain the prime target for cybercriminals.

What are SPF and DKIM, and why aren't they enough to protect email on their own?

SPF (Sender Policy Framework) verifies that an email is sent from an IP address authorised by the sending domain's SPF record through a DNS TXT record listing authorised mail servers.

DKIM (DomainKeys Identified Mail) uses a cryptographic signature, validated via a public key in DNS, to confirm that the email's content hasn't been altered and comes from an authorised domain. Both are essential to email security, but neither prevents exact impersonation.

While the protocols tell the recipient who the email is from, the recipient has no instruction to act on this knowledge. Major inbox providers now require SPF and DKIM for bulk email senders in 2026.

What is DMARC and how does it work with SPF and DKIM to stop domain spoofing?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's an outbound email security protocol that allows domain owners to tell receiving inboxes to reject spoof emails. DMARC works by combining the results of SPF and DKIM to determine if your email is authentic and authorised.

The DMARC policy (defined by the "p=" tag in your DNS record) then tells recipient servers what to do with it. DMARC stops exact domain impersonation by instructing recipient servers not to accept any emails which aren't authenticated. In 2026, DMARC has become a standard requirement for organisations sending bulk email.

What is the SPF 10-lookup limit and how do organisations solve this problem in 2026?

The SPF specification limits DNS lookups to 10. If your SPF record exceeds this, SPF will fail. The SPF mechanisms counted are: a, ptr, mx, include, redirect and exists. In reality, 10 lookups aren't enough because most businesses use multiple email-sending tools.

G Suite alone takes up 4 DNS lookups, add in HubSpot for marketing which uses 7 lookups and you're already over the limit. As soon as you go over 10 SPF lookups, your email traffic will begin to randomly fail validation. This is why organisations in 2026 are shifting to dynamic SPF management rather than trying to manually maintain flattened records.

What is MTA-STS and why is transport layer security essential for email protection?

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents interception by cybercriminals. SMTP alone does not provide security, making it vulnerable to man-in-the-middle attacks where communication is intercepted and possibly changed.

Additionally, encryption is optional in SMTP, meaning emails can be sent in plaintext. Without MTA-STS, an attacker can intercept the communication and force the message to be sent in plain text. In 2026, MTA-STS has become a standard security control for organisations handling sensitive communications.

What are the business benefits of implementing DMARC at enforcement?

By implementing DMARC you benefit from stopping phishing attempts that appear to come from you, stronger customer trust, reduced cyber risk and compliance with bulk sender requirements from Google, Yahoo and Microsoft.

DMARC strengthens compliance with PCI DSS 4.0 and enhances overall organisational resilience against evolving cyber threats. Once at p=reject (enforcement), DMARC blocks vendor fraud, account takeovers, and email spoofing by stopping bad actors from using your domain to send phishing emails and carry out Business Email Compromise (BEC). According to Verizon's 2025 Data Breach Investigations Report, BEC attacks constitute more than 17-22% of all Social Engineering incidents.

How long does DMARC implementation typically take and what makes Red Sift OnDMARC different?

Red Sift OnDMARC accelerates the DMARC journey with automated sender discovery, prescriptive fixes, anomaly detection, and role-based access for global teams. By 2026, leading platforms enable enterprises to reach p=reject enforcement in 6-8 weeks rather than the six month timelines once typical.

One of the most commonly reported benefits of OnDMARC is an average time of 6-8 weeks to reach full enforcement. The platform's powerful automation continuously analyses what's going on across your domain, surfacing alerts for where and how to make necessary changes. Within 24 hours of adding your unique DMARC record to DNS, OnDMARC begins to analyse and display DMARC reports in clear dashboards.

What global mandates and requirements now exist for DMARC in 2026?

Major email providers including Microsoft, Google, and Yahoo now mandate DMARC for bulk senders (organisations sending 5,000+ emails per day) as of 2024-2025, and these requirements have become standard in 2026.

Beyond inbox provider requirements, certain industries and government regulations are moving toward mandating DMARC. U.S. federal agencies are required to use DMARC, as are DORA regulated payment processors. Additionally, DMARC implementation strengthens compliance with regulations including PCI DSS 4.0, GDPR, and NIS2. For cybersecurity, email security and IT teams, ensuring your organisation's email security aligns with international best practices and requirements is essential.