Continuous monitoring · Enforcement migration · Managed BIMI

DMARC + BIMI monitoring. We watch who tries to spoof you and close the door without breaking your legitimate email.

People who sell DMARC usually leave you in p=none, which is seeing the problem without solving it. Our job is to walk you from monitoring to enforcement (p=quarantine, then p=reject) over nine to eighteen months, without blocking legitimate email from employees, CRM, payroll or vendor portals. When we hit enforcement, we add BIMI so your verified logo shows in Gmail, Yahoo and Apple Mail.

Free DMARC audit See spoofing simulator
Domains with no effective DMARC69.6%
Reach p=reject11.1%
VMC annual from$749
Correct migration9-18months
The real state of enforcement

Almost everyone publishes DMARC. Almost no one enforces it.

The latest EasyDMARC report analyzes 1.8 million global domains with three snapshots taken during 2023, 2025 and early 2026, which gives granularity enough to distinguish nominal adoption from effective implementation with real enforcement. The findings are stark and useful for understanding why publishing a DMARC record is not the same as being protected. About half of the top 1.8M have a DMARC record published. Only nine percent combines enforcement (p=quarantine or p=reject) with RUA reporting configured, which is the only configuration that really protects.

69.6%

of global domains have no effective DMARC protection (1.15M analyzed, April 2026)

19.4%

have partial coverage via p=quarantine or gradual rollout

11.1%

have complete protection with p=reject at one hundred percent

9%

configure enforcement plus RUA reporting (the only combination that really protects)

The gap between Fortune 500 and Inc. 5000 explains the pattern. Big corporations reached 95% adoption and over 80% in enforcement. Mid-market companies remain mostly parked at p=none, observing spoofing without acting. The operational difference: Fortune 500 has dedicated email security teams; mid-market typically has a provider that published the record and forgot.

Mailbox providers are no longer waiting. Google and Yahoo require DMARC for bulk senders since February 2024. Microsoft (Outlook, Hotmail, Live) rejects non-compliant senders since May 2025. Gmail escalated from soft warnings to active SMTP-level rejection in November 2025, which means a bulk email without DMARC enforcement no longer even enters the receiver filter system: it bounces first. That is the operational reality that determines deliverability today in Panama as much as in Boston.

Interactive simulator

What happens if someone spoofs your domain right now?

The behavior depends on which DMARC policy you have published. Tap a policy to see the flow of a typical spoofing attack and how many emails would be blocked daily with an estimated base of 50,000 sends.

Spoofing simulator

Attacker tries to send emails pretending to be yourdomain.com

Live visualization
ATTACKER spoof.evil Attacker server RECEIVING SERVER SPF check DKIM check DMARC: p=none Gmail / Yahoo / Apple INBOX Lands as legitimate Customer opens the email
Spoof emails arriving ~50,000/mo
Blocked by DMARC 0 (0%)
Reaching customer inbox ~50,000/mo

Numbers estimated for a mid-volume Panama domain with a 50K contact base. The real spoofing rate is measured in RUA reports during the first month of monitoring.

Real migration · 9 to 18 months

Four phases to reach p=reject without blocking legitimate email.

Moving an active domain straight from p=none to p=reject without going through intermediate phases silently blocks legitimate email until the first client calls angry about not getting the monthly invoice. That happens every time because no team knows 100 percent of the services that send email on behalf of the domain: CRM, payroll, HR providers, marketing tools, web forms, ticketing systems, monitoring that sends alerts. Each one needs SPF or DKIM correctly aligned before raising enforcement, and the complete inventory only emerges when RUA reports start showing traffic from IPs nobody recognizes.

Phase 01
p=none
60 — 90 days

Pure monitoring. We receive aggregated RUA reports from Gmail, Yahoo, Microsoft. We identify each legitimate sender. We document in a spreadsheet with a technical owner for each one.

Phase 02
p=quarantine pct=10
30 — 60 days

10% of unauthenticated traffic goes to spam. We verify no critical legitimate mail gets lost. If a sender breaks, we fix it before raising the percentage.

Phase 03
p=quarantine pct=100
30 — 60 days

100% of unauthenticated traffic goes to spam. Final verification that alignment is stable above 95%. Without skipping this check there is no clean path to reject.

Phase 04
p=reject pct=100
Permanent

Full block. The receiving server drops malicious email before delivering it. Continuous monitoring to detect new legitimate senders that come in after.

This is the real DNS record published at the end of phase 04 for a domain that also runs BIMI:

DNS · _dmarc.yourdomain.com (TXT) Production 
; --- DMARC in full enforcement ---
_dmarc.yourdomain.com. 3600 IN TXT "v=DMARC1; p=reject; pct=100;
   rua=mailto:dmarc-rua@yourdomain.com;
   ruf=mailto:dmarc-ruf@yourdomain.com;
   adkim=s; aspf=s; fo=1"

; --- BIMI with VMC to show logo in Gmail ---
default._bimi.yourdomain.com. 3600 IN TXT "v=BIMI1;
   l=https://yourdomain.com/bimi/logo.svg;
   a=https://yourdomain.com/bimi/cert.pem"

; --- SPF and DKIM supporting enforcement ---
yourdomain.com. 3600 IN TXT "v=spf1 include:_spf.google.com
   include:_spf.mailgun.org ip4:200.46.X.0/24 -all"
BIMI · The visual layer

Once you reach enforcement, your logo shows in the inbox.

BIMI only works when DMARC is in enforcement (p=quarantine or p=reject). It is the visual reward for the migration work: your verified logo appears next to the sender in Gmail, Apple Mail, Yahoo, Fastmail, AOL. It does not appear in Outlook or Microsoft 365 yet, because Microsoft has not joined the standard.

The measurable impact is real. Red Sift and Entrust studies document +90% lift in consumer trust when seeing the verified logo, +4-6% open rate, +80% click-through rate, +44% brand recall. For a Panama operation with B2C base in Gmail and B2B with Apple Mail, BIMI pays back the certificate cost in a few months.

Choosing the certificate type is not trivial. Three options, each with a distinct profile.

Self-asserted (no certificate) CMC (recommended mid-market) VMC (enterprise + trademark)
Annual cost $0 $650 — $1,100 $749 — $1,688
Trademark required No No Yes
Gmail (logo) Does not show Shows Shows
Gmail blue checkmark No No Yes
Apple Mail (iCloud, iOS) No Yes Yes
Yahoo Mail · AOL · Fastmail Yes Yes Yes
Outlook · Microsoft 365 Not supported Not supported Not supported
Provisioning time 1 — 3 days (DNS only) 1 — 3 weeks 2 — 4 weeks
Ideal for Testing, secondary domains, Yahoo-heavy Panama mid-market with mixed Gmail+Yahoo+Apple base Enterprise with active trademark and massive B2C base

For Panama companies with regional base, the default recommendation is CMC. The difference between CMC and VMC is the Gmail blue checkmark, real value but not decisive for most campaigns. The savings from not needing an active trademark offset losing the checkmark, especially if your trademark plan is in process or not a priority. For clients with a registered mark and high B2C Gmail volume, VMC has clear ROI because the checkmark moves measurable engagement metrics.

EMP capabilities · DMARC + BIMI

The six things we do.

Audit + initial DMARC setup

Diagnostic of current DNS, publishing of the DMARC record at p=none correctly formed, RUA and RUF mailbox configuration, validation against major mailbox providers within 48 hours.

Parsing and dashboard

Aggregated RUA reports parsed with parsedmarc plus Elasticsearch, custom Grafana dashboard showing identified senders, alignment rate by source, detected spoofing volume, month-over-month trends.

Managed migration to enforcement

Four-phase plan (none → quarantine pct=10 → quarantine pct=100 → reject) with human validation between each step. Coordination with your IT team and SaaS providers (CRM, payroll, marketing).

BIMI provisioning

Full BIMI setup with CMC or VMC based on your case. Coordination with DigiCert or Entrust. Preparation of SVG Tiny PS conforming to spec. PEM hosting. Publishing of the BIMI DNS record.

Alerts and incident response

Automated alerts on Slack, Telegram or WhatsApp Business when a new unauthorized sender appears, when alignment rate drops, when detected spoofing spikes, or when the VMC certificate approaches expiration.

Human monthly reporting

Monthly report written by a human explaining what happened with your authentication: new senders detected, gaps remediated, next steps. Not an auto-generated PDF: someone reads your dashboards and explains what matters.

Transparent pricing

Three tiers based on domains and BIMI.

The initial technical audit is free. We calibrate the tier after reviewing your current DNS and understanding how many real domains you operate (subdomains count).

Light

1 domain · monitoring + reports.

$390 setup
  • + $190 USD/mo managed
  • 1 primary domain monitored
  • RUA report parsing
  • Basic Grafana dashboard
  • Written monthly report
  • Broken-configuration alerts
  • BIMI not included
Request Light

Pro

Up to 5 domains · BIMI with CMC included.

$890 setup
  • + $390 USD/mo managed
  • Up to 5 domains and subdomains
  • Managed migration p=none → p=reject
  • BIMI provisioning with CMC ($650-$1,100/year separate)
  • Custom Grafana dashboard + Loki logs
  • Slack/Telegram/WhatsApp alerts
  • Parsed RUF forensic reports
Request Pro

Enterprise

Unlimited domains · managed VMC.

$2,400+ setup
  • + $890+ USD/mo managed
  • Unlimited domains and subdomains
  • Managed VMC for up to 3 brands
  • Apple Business Connect coordination
  • Dedicated client stack
  • 24/7 support · 1h SLA
  • Quarterly configuration audit
Talk Enterprise
The real questions

What the CTO asks in the first meeting.

"I already have SPF and DKIM published. Do I really need DMARC?"

SPF and DKIM authenticate the sender. DMARC is the layer telling receivers what to do when those checks fail. Without DMARC, the receiver takes generic decisions (typically delivery with warning). With DMARC in enforcement, the receiver drops or marks per your choice. One extra critical point for bulk senders: since February 2024 Google and Yahoo require DMARC for senders over 5,000 emails per day. Without DMARC enforcement there is already measurable deliverability impact, not just phishing prevention.

"If I go to p=reject I will block legitimate email from my employees or vendor portals."

That is exactly the risk if you skip phases. That is why correct migration takes 9 to 18 months. You start at p=none with monitoring for 60-90 days to identify all legitimate domain senders (CRM, payroll, marketing tools, ATS, vendor portals, monitoring). Each one requires SPF or DKIM correctly aligned. When you reach 95-98% stable alignment for 30 days, move to p=quarantine with pct=10. Then pct=50, then pct=100. Only after quarantine 100% stable for 30 days do you move to reject. Any provider that does not respect this timeline breaks legitimate email. That is the line between a vendor who knows and a vendor who improvises.

"I have had p=none for two years and nothing visible happened. Does it really matter to move forward?"

p=none is seeing the problem without solving it. RUA reports show how many emails spoof your domain monthly (typically between 200 and 50,000 for mid-volume Panama domains). Those emails land in your customers, vendors and employees inboxes as if they came from you. Successful phishing from your domain can generate financial fraud reputationally attributable to your company. There is another operational reason: if you send over 5K emails daily from the domain, p=none already impacts your deliverability with Google and Yahoo since February 2024.

"There are free DMARC services. Why pay managed?"

Free dashboards do the job. What costs is not the dashboard, it is the monthly human work: reading XML reports, identifying new senders, coordinating fixes with the end-client IT team, deciding when to raise pct, communicating gaps to non-technical leadership. For 1 domain with a simple stack the free services may be enough. For 3+ domains with heterogeneous SaaS (typical Panama mid-market company) the monthly human operation exceeds the managed service cost. The real operational difference: we read the reports, you do not.

"My company is Panama B2B, my clients use Outlook. What good is BIMI?"

Honest answer: BIMI provides no visual benefit in Outlook or Microsoft 365 today, those products do not support the standard. Where it does work: Gmail, Apple Mail (iCloud, iPhone, iPad, Mac), Yahoo Mail, AOL, Fastmail. For B2C Panama, Gmail dominates (three of every four personal accounts). For B2B with international clients using Apple Mail, BIMI is a verified-brand signal. For companies with mostly Outlook base, we honestly recommend not investing in BIMI yet and keeping focus on DMARC enforcement, which does deliver cross-provider deliverability.

"Can you monitor domains outside Panama?"

Yes. The service is domain-jurisdiction agnostic. We operate DMARC + BIMI for clients with .com, .com.pa, .net, .org, .co.cr, .mx, LatAm regional and European domains. Operation runs from Panama in GMT-5 hours that cover LatAm and USA. For European clients we coordinate in overlap hours (Panama morning, European afternoon). DMARC report processing contains send metadata without sensitive personal recipient data, which keeps it outside strict Law 81 or GDPR scope for international transfer.

Frequently asked

What ends up coming out in the technical meeting.

Why do I need DMARC if I already have SPF and DKIM?

SPF and DKIM authenticate that mail comes from an authorized server and content was not modified. DMARC is the layer tying both together and telling the receiving server what to do if they fail: nothing (p=none), send to spam (p=quarantine) or reject (p=reject). Without DMARC, receivers see the failures but have no instructions from you, so they take generic decisions.

What matters for bulk senders: since February 2024 Google and Yahoo require DMARC for bulk senders. Microsoft since May 2025. Gmail actively rejects since November 2025. Without DMARC, no longer eligible for mass inbox.

What happens if I go to p=reject and block legitimate email from employees or vendors?

That is exactly the risk and why correct migration takes 9 to 18 months. The methodology is:

  • Start at p=none receiving RUA reports for 60-90 days to identify all legitimate senders
  • Each sender requires SPF or DKIM correctly aligned
  • When you reach 95-98% alignment sustained for 30 days, move to p=quarantine with pct=10, then pct=50, then pct=100
  • Only after quarantine 100% stable for another 30 days do you move to p=reject

Any provider that does not respect this timeline will break legitimate email.

How much does BIMI with VMC really cost to implement?

Three cost components:

  • Annual certificate: VMC between $749 and $1,688 USD by CA. CMC between $650 and $1,100 with no trademark needed
  • Trademark registration if missing: USPTO $250-$350 per class, Panama DIGERPI $200-$400
  • Technical provisioning: SVG Tiny PS, PEM hosting, alignment with DMARC enforcement

For one brand with active trademark and DMARC already in quarantine, total year-1 cost runs $1,200-$2,000 all-in. For CMC without trademark, $700-$1,100.

I have had p=none for two years and nothing happened. Does enforcement migration really matter?

p=none is seeing the problem without solving it. RUA reports show how many emails spoof your domain each month (typically between 200 and 50,000 for mid-volume Panama domains). Those emails land in inboxes of your customers, vendors and employees as if they came from you.

Successful phishing from your domain can generate financial fraud reputationally attributable to your company. Second relevant factor: since February 2024 Google and Yahoo do not accept bulk senders without DMARC enforcement. If you send more than 5,000 emails per day from the domain, p=none already impacts deliverability.

My company is Panama. What good is BIMI if most clients use Outlook?

Honest answer: BIMI provides no visual benefit in Outlook or Microsoft 365 today, those products do not support BIMI. Where it does work: Gmail, Apple Mail (iCloud, iPhone, iPad, Mac), Yahoo Mail, AOL, Fastmail.

For B2C Panama, Gmail dominates (three of four personal accounts). For B2B with international clients on Apple Mail, BIMI is a verified-brand signal. For regional companies with mixed base, we recommend BIMI with CMC ($650-$1,100/year) instead of VMC ($749-$1,688/year) for better cost-impact ratio.

Can I do DMARC monitoring myself with free services?

Technically yes. Postmark Free DMARC, dmarcian Free, Valimail Monitor (free for low volume), MXToolbox free tier. What costs is not the dashboard, it is the human work of reading XML reports weekly, identifying unauthorized senders, coordinating fixes with the IT team, deciding when to raise the pct, and communicating gaps to non-technical leadership.

For 1 domain with simple stack the free services can suffice. For 3+ domains with heterogeneous SaaS the monthly human operation exceeds the managed service cost.

Do you handle domains outside Panama?

Yes. The service is domain-jurisdiction agnostic. We operate DMARC + BIMI for clients with .com, .com.pa, .net, .org, .co.cr, .mx, LatAm regional and European domains. Operation runs from Panama in GMT-5 hours covering LatAm and USA. For European clients we coordinate in overlap hours (Panama morning, European afternoon).

Compliance: DMARC report processing contains send metadata without sensitive personal recipient data, which keeps it outside strict Law 81 or GDPR scope for international transfer.

What tools do you use in the backend?

Open-source primary stack, complemented with commercial services for specific cases:

  • RUA parsing and aggregation: parsedmarc + Elasticsearch + Grafana auto-hosted on Panama infrastructure
  • RUF forensic reports: custom Python scripts detecting spoofing patterns
  • BIMI provisioning: DigiCert or Entrust based on client preference
  • EasyDMARC, dmarcian or Valimail: we integrate their dashboards if the client already has the relationship

Stack choice gets discussed in the technical discovery.

Free DMARC audit of your domain. Forty-eight hours.

Before proposing any tier we run a technical audit of your current DNS: status of published DMARC record (if any), SPF and DKIM policies alignment, presence or absence of BIMI, detectable spoofing in public logs, deliverability impact risk with Google/Yahoo rules. Report in forty-eight hours. If after you decide not to migrate, you keep the detailed report.

Free 48h audit See Law 81 audit
Technical audit · 48 hours · No commitment · Confidential