deemarc.
DE Get in touch
deemarc.
Deutsch Get in touch

Product

DMARC monitoring,
no MX change required.

Deemarc connects to your Microsoft 365 tenant through the Graph API. No change to mail flow, no extra MX hops, no end-user authentication. You declare a DMARC reporting address — the platform does the rest.

01 — Foundation

What DMARC
actually is.

DMARC answers one question: "Who is allowed to send mail in our domain's name?"

The domain publishes a DNS TXT record with the tag v=DMARC1; p=...; rua=mailto:.... Every receiving server (Google, Microsoft, Yahoo) checks inbound mail against it and sends back a daily aggregate report.

Those reports are XML files, compressed, often hourly, from dozens of receivers in parallel. Without tooling they're practically unreadable — and therefore useless. With tooling they show, by the minute, who's sending mail in your name and whether the authentication is clean.

02 — Architecture

Why
Graph-native.

Other DMARC tools either insert a mail gateway in front of your tenant (Proofpoint pattern) or ask you to list a foreign reporting address in your DMARC record that ingests via SMTP. Both come with drawbacks:

  • MX change
    Every reconfiguration is a risk to production mail. Mistakes mean legitimate mail bounces.
  • SMTP inbound
    Requires running mail infrastructure. High operational burden, exposure to spam.
  • Onboarding
    DNS change, a foreign domain in your reporting record, often days of propagation.

    • Deemarc uses the Microsoft 365 Graph API: you grant app-only access to the mailbox that already receives your DMARC reports, and we read the XML attachments in the background. No MX, no SMTP infra, no DNS gymnastics.

    03 — Data flow

    From reporting mailbox
    to dashboard.

    1. A

      Receivers report

      Google, Microsoft, Yahoo & friends send daily DMARC aggregate reports to your rua address.

    2. B

      M365 receives

      Reports land in your tenant's reporting mailbox. No extra mail hop, no MX change.

    3. C

      Deemarc parses

      A Graph subscription wakes our worker. XML attachments are unpacked, normalised, validated.

    4. D

      You see the picture

      Dashboards for sending sources, pass/fail rates, anomalies. Alerts by email or webhook.

    04 — MSP model

    One console,
    any number of tenants.

    Deemarc was built for Managed Service Providers from day one. Every customer is a separate tenant — and not just logically, but physically:

  • Database
    Own SQLite file per tenant, chmod 600, separated on the filesystem.
  • Keys
    Own Graph app-subscription key per tenant.
  • Audit
    Platform-wide audit log of all write operations on tenant data.
  • Console
    MSP admin sees every tenant. Customer admin sees only their own.

    • Cross-tenant queries do not exist. Not by accident, not for convenience. It's enforced in the repository layer and verified by every test in that layer.

    05 — The policy journey

    From "observe"
    to "block".

    DMARC is not software you install — it's a journey. Three policies, three steps. Flip to reject too early and you'll send your own newsletters straight to spam.

    1. p=none

      Step 1 — Monitor

      Watch only. Receivers ignore the verdict but keep sending reports. Mandatory step — collect 30–60 days of data here.

    2. p=quarantine

      Step 2 — Quarantine

      Unauthenticated mail lands in spam. The first hardening step — only after all legitimate sources are confirmed.

    3. p=reject

      Step 3 — Reject

      Unauthenticated mail is bounced at delivery. End state for any serious domain — and de-facto required for bulk senders since 2024.

    06 — Common questions

    What MSPs
    ask us.

    Do we have to change our MX record for Deemarc to work?
    No. Deemarc reads DMARC aggregate reports directly from Microsoft 365 via the Graph API. Your mail flow stays untouched.
    Which permissions does Deemarc need in our M365 tenant?
    Read-only access to the reporting mailbox(es) via Microsoft Graph (Mail.Read, app-only). No end-user authentication, no write access, no mailbox manipulation.
    We run multiple domains. Can we monitor them all in one setup?
    Yes. Each domain is handled individually but rolls up into a single console. For MSPs serving many customers there is full multi-tenant isolation with a separate database per tenant.
    What happens when someone sends phishing in our name?
    Deemarc surfaces it from the recipient reports — Google, Microsoft, Yahoo and others send back spoof attempts. You see the source (IP/AS), the impacted recipients and which DMARC policy applied.
    Aren't DMARC reports public?
    Reports go only to the rua addresses declared in your DMARC record. Deemarc receives them solely because you list a Deemarc reporting address. You stay in control of the flow at all times.
    Where is the data processed?
    On a server in Germany (Hetzner). One SQLite file per tenant, chmod 600, isolated on disk. Backups as Restic snapshots to a separate storage box.
    Can we leave the service and take our data with us?
    Yes. You receive a full database export of your tenant data and can remove the Deemarc reporting address from your DMARC record at any time. Vendor lock-in is not our business model.

    Ready for a demo?

    30 minutes screenshare. We show Deemarc on a real M365 tenant.

    Request a demo