← All leads
killed after research2026-07-17

DMARC / email authentication

The problem
Anyone can send email pretending to be your domain, and since 2024 the mailbox providers reject you if you haven't stopped them. The fix is a spec, a feed of unreadable XML, and a migration that can black out your own invoices if you get it wrong. Nobody wants to learn it.
Scope
~85% of apex domains unprotected · 2.5% at enforcement · 70+ commercial vendors · price floor $6–15/mo · Bangladesh: functionally zero
Where it landed
Real global market, reachable by nobody I am. My local market is already sold to foreign vendors, the bottom of it doesn't send email at all, and 70+ competitors sit between me and a buyer who has never heard of me.
EmailDNSSecurityKilled after research

What this is

I spent a day deciding whether to build a DMARC product. I didn't build it.

This is everything I found, including the parts I couldn't resolve. If you're circling this same idea, the six open questions at the bottom are worth more to you than my conclusion — and one of them might be something you already know.


The problem

SMTP has no sender authentication. The From: header in your mail client is text the sender typed — nothing in the protocol stops anyone sending mail that claims to be your bank. Every phishing email you've ever received exists because of that hole.

Three layers patch it. SPF publishes which servers may send for your domain — but it validates the invisible envelope sender rather than the From: a human reads, breaks on forwarding, and silently stops working after ten DNS lookups. DKIM signs the message cryptographically. DMARC makes those mean something: it requires SPF or DKIM to pass and the domain they authenticated to match the domain actually displayed. Then you publish a policy — p=none, p=quarantine, or p=reject.

Two things make it a business rather than a chore.

The reports are unreadable. Every major receiver mails you gzipped XML, daily. No human parses that.

And the migration can take you down. Going to p=reject before you've found every legitimate system that sends as you — the invoicing tool, the CRM, the support desk, the campaign platform someone in marketing set up three years ago — means you block your own mail. Customers stop getting receipts. So people set p=none, promise to finish later, and don't. p=none is not protection — it's a request for reports, and the domain stays exactly as spoofable as one with no record at all.

The real product isn't XML parsing. It's walking a company to enforcement without breaking their invoices.


Why now

February 2024: Google and Yahoo began requiring SPF, DKIM and DMARC of anyone sending more than ~5,000 messages a day to consumer inboxes. Microsoft followed in 2025. Google has been ramping enforcement since November 2025.

This is the strongest kind of forcing function there is — enforced automatically, at the inbox, by the receiver, with no human in the loop. Not a rule someone might audit. A rule that bounces your mail. That's why this looked like a business.


Scope — and why the number is unknowable

FigureSourceDenominator
14.9% of domains have DMARCRed Sift (vendor)73.3M apex domains
52.1% have DMARCEasyDMARC (vendor)Top 1.8M most-visited
6.6% have DMARCUSENIX Security (academic)75.6M .com domains with MX
2.5% at p=rejectRed Sift (vendor)73.3M apex domains
56% of adopters stuck at p=noneEasyDMARC (vendor)937,931 DMARC domains

The market is real and unsaturated. On any of these numbers the overwhelming majority of domains are unprotected, and 2.32M organisations adopted in the ten months after the rules landed.

But note the spread. Vendor figures range 8x, every denominator differs, and the single independent measurement is the lowest of the lot — under half the most conservative vendor number. A vendor's incentive is to make the protected share look normative and the gap look urgent; different denominators let you do both at once. That's open question #3, and it isn't cosmetic.

Bangladesh: functionally zero

I checked 36 of the largest Bangladeshi organisations — banks, operators, MFS platforms, the regulator, government — over public DNS. No published study of this population exists; this appears to be the first.

31 of 36 already have DMARC. The rua= fields name the vendor: bKash and City Bank run PowerDMARC. Grameenphone runs EasyDMARC. BTRC runs Red Sift. foodpanda runs Mimecast. Banglalink runs MXToolbox. The rest — Robi, BRAC Bank, Dutch-Bangla, Islami Bank, Nagad, Bangladesh Bank — self-host their reports and pay nobody.

The top of my local market is sold, to foreign vendors. The ones who didn't buy evaluated the category and built it in-house.

The bottom doesn't exist either. DMARC demand comes from sending bulk email; Bangladeshi SMBs market on Facebook. The 2026 national digital report contains no email marketing data at all, in a document that covers every other channel exhaustively. Google's rules never touch them. And a local host bundles SPF/DKIM/DMARC setup into business email hosting from ৳100/month — domestically this isn't a product, it's a free checkbox.

(I'm not naming which organisations lack protection or sit at p=none. Vendor relationships are ordinary commercial facts visible to anyone with a DNS query. A missing control is a different kind of fact, and publishing a list of who's spoofable is hostility dressed as research. If that's your domain, I'll tell you privately, free.)


Who's solving it, and how they actually won

dmarc.org isn't a vendor — it's the standards and advocacy site, and its commercial significance is the canonical directory it maintains. That directory lists 70+ commercial vendors. An independent directory enumerates 125. This is not an underserved category. It's a bloodbath.

dmarcian — 2012, North Carolina, bootstrapped, still independent. Published $19.99/month, unchanged for ~7 years. It didn't lose to a cheaper rival. It lost five years to litigation against its own former European licensee — a dispute rooted in an oral licensing agreement nobody wrote down, producing a $335,000 contempt sanction — after which the European arm separated and rebranded as DMARC Advisor.

EasyDMARC — 2018, Armenia. $2.3M seed (2022), $20M Series A (Sept 2024), ~$22.3M total, 122 staff, 200,000+ domains. TechCrunch, Sept 2024: "How Google and Yahoo's shift to stricter email standards proved a windfall for this Armenian startup."

The strategy everyone assumes is wrong. EasyDMARC did not undercut the incumbent. Their Plus plan is €35.99–$44.99/month — roughly 2x dmarcian's frozen $19.99. Their own competitor page makes no price claim at all; it argues ease of use, support, implementation speed. What they actually shipped in November 2020 was a free tier with 10,000 emails across unlimited domains — a land grab, since retracted to one domain and 1,000 emails.

The three things they exploited, in order:

  1. A packaging flaw in dmarcian's pricing ladder — visible to anyone who read a public page, requiring zero cost advantage.
  2. A free-tier land grab, withdrawn once it had done its job.
  3. A regulatory windfall they were still alive to catch when February 2024 arrived.

The reframe that generalises well past email: a low-cost base is a survival advantage, not a go-to-market advantage. Armenia bought EasyDMARC the margin to live on $2.3M for four years. It did not win them one customer.

The small ones genuinely earning: URIports and Mailhardener — both Dutch, both 2018, both bootstrapped, both tiny. URIports says it plainly: "No investors, no acquisition agenda." Its customers include Wordfence, NordVPN, BrowserStack. Neither sells DMARC alone; both sell the whole email-auth surface — MTA-STS, TLS-RPT, BIMI, DNS monitoring.

The live experiment: DMARCguard — solo founder, based in Indonesia, incorporated as an Estonian OÜ, who shipped an open-source DMARC parser to Show HN in November 2025 and turned it into the funnel for a paid product. $3.90–6.90 per domain. Shipping daily. Four G2 reviews.

The MSP arbitrage — documented on both sides

Mailhardener publishes a white-label MSP price: €149/month + €1 per domain/month. EasyDMARC's own MSP marketing pitches resellers on "500 clients at $25/month = $90,000 ARR."

The MSP buys the engine at ~$1/domain and sells at ~$25. A 25x gap, documented by the vendors themselves. Every incumbent — PowerDMARC, Sendmarc, EasyDMARC — routes partner pricing to a sales call. That opacity is doing real work for them.

Timing — the pattern nobody escapes

CompanyFoundedIts waveLead time
dmarcian2012bootstrapped 13 years
EasyDMARC2018Feb 20246 years
URIports / Mailhardener2018earning today, 8 years in
DMARCguardlate 2025already broke4 reviews

Everyone earning money here entered before the wave broke. EasyDMARC didn't catch it — they'd been floating six years and it found them. And TechCrunch contains no founder claim that the rule drove customers; the only attribution is "More than 40 VCs started talking to us." The regulation was a liquidity event, not a customer-acquisition event.


The limitations — universal

The core of the product is free, and moving. Cloudflare ships DMARC management free on every plan. Postmark gives away a weekly digest. parsedmarc is Apache-2.0 and shipped five releases in a single month this year — 58 commits in May, 25 in July. Parsing XML and drawing a dashboard isn't a product; it's a free feature with an active maintainer underneath you.

The price floor has collapsed to $6–15/month across the long tail. DMARC Defender runs free → $9 → $29.

Price is not a wedge. EasyDMARC beat a $19.99 incumbent while charging $44.99. Nobody credible wins on price here — which means the obvious low-cost-country play is precisely the thing the evidence says doesn't work.

Standalone DMARC is being absorbed. PowerDMARC isn't a DMARC product any more — it's an email-infrastructure suite with hosted SPF/DKIM/MTA-STS/BIMI, threat intelligence, lookalike-domain checking, an AI agent and an MCP server. The billable unit moved to hosted DNS records, retention, multi-tenancy, and jurisdiction guarantees.


The limitations — mine

No local market. Established above: zero. That makes this foreign-only, which strips out every advantage I have.

No distribution surface. This is the one that kills it. 70+ vendors, a buyer who's never heard of me, and a category where being found is the game. A knowledge moat protects you from competitors; it does nothing about obscurity.

Solo. Across the wider compliance-tech category I could find zero verified solo founders at meaningful ARR. Team sizes cluster at 4–30, and the genuinely 1–2 person shops are exactly the ones with no revenue evidence.


What companies solved which limitation — and how

This is the useful part, because most of my objections turned out to be purchasable.

LimitationWho beat itHow
"Stripe doesn't operate in Bangladesh"MailBlusterIt's ThemeWagon, Inc., a Delaware company (MailBluster LLC, Wilmington DE) and it uses Stripe. They don't sell from Bangladesh — they sell from Delaware. Paddle also accepts BD sellers today, paying out via Payoneer.
"EU data residency is a moat I can't hold"EasyDMARCEasyDMARC, Inc. (Delaware) plus EasyDMARC B.V. (Netherlands, KvK 82516138). Armenian team, zero Armenian contracting entity; their legal index routes customers by geography. The moat is a formation fee, not a birthright.
"Nobody buys compliance from South Asia"CookieYesUK Ltd, company no. 13074037, team in Kerala, selling GDPR compliance into the EU. India appears nowhere in the customer-facing legal stack. Buyers screen where data lives — the SIG Core questionnaire (855 questions, 21 domains) has no geography domain at all.
"You'd need 122 employees"Mailhardener, URIportsSmall Dutch teams, bootstrapped, real enterprise logos. Refuted.
"A solo dev can't build this"DMARCguardSolo, Indonesia, Estonian OÜ, shipping daily. Refuted — though it proves the build, not the revenue.
"How would anyone find you"Nobody, yetThe open-core funnel is the only proven move: DMARCguard's parse-dmarc (Show HN), Interlynk's sbomqs (297★, "referenced by national cybersecurity agencies on three continents"). Note the asymmetry — the thing they're known for is free.

Every structural objection I raised fell except the last one. Distribution is the only one that survived, and it's the only one that matters.


What I'd do, if I did it

Not another dashboard. Cloudflare gives that away, Postmark gives a digest away, parsedmarc ships the parser under Apache-2.0 with five releases a month, and 70+ vendors are already there. There's no defensible product in report parsing.

The one position with a shape to it: be the white-label engine underneath other people's brands, priced per-domain, published. Sell to ~50 MSPs bringing 100 domains each rather than 5,000 SMBs — the MSP absorbs support because they're technical. The economics are proven and public on both sides ($1 in, $25 out). And the move a funded competitor can't copy isn't technical: it's publishing a flat self-serve price, which would undercut their own direct sales team.

What would make it real: the billing and PSA plumbing (WHMCS, ConnectWise, HaloPSA, Autotask) that makes you droppable into an MSP's existing stack, and a jurisdiction claim — which, per the table above, is a Dutch B.V. and a filing fee.

And then I'd still not do it, because of the six questions below. Which is exactly why they're written down.


What I couldn't answer

These are real. I ran out of evidence, not effort. If you know one of them — from having done it, sold it, or bought it — I'd genuinely like to hear it, and I'll give you everything above in more detail than this page has room for.

  1. Is the MSP channel reachable without a partner org? Mailhardener does it with a small team and a published price. Nobody publishes conversion. Does an MSP self-serve a €1/domain API, or does that channel need a human in every deal — in which case it's a headcount business wearing a SaaS costume?

  2. Why hasn't EasyDMARC's "83,000+ organisations" moved in ~22 months — after a $20M Series A, with hiring up only ~4% over 11 months? Either the number is stale marketing or growth stalled post-raise. Those imply opposite things about entering this market.

  3. Whose adoption number is right — 6.6% or 52.1%? The academic figure is the lowest; the vendors span 8x on mismatched denominators. That's a 5M-domain market or a 60M one, and I can't resolve it from public sources.

  4. Does jurisdiction actually sell? Every vendor signal says yes — dmarcian's European arm split off, dmarc.org keeps a region-specific vendor section, Mailhardener leads with DORA and HIPAA. But I could not find a single buyer saying they chose for data residency. Vendors may just be telling each other a story.

  5. Is DMARCguard going to make it? Solo, Indonesian, Estonian entity, OSS funnel, shipping daily, four reviews at eight months. He's the live experiment for this exact thesis. I'd rather watch him than compete with him — but I don't know which way it goes.

  6. Is dmarcian a good business or a survival? Bootstrapped since 2012, and nobody in this category publishes ARR. "Boutique" could mean comfortable or trapped, and nobody will say which.


Why this is published even though it's dead

Because the reasoning is the useful part, and because what killed it wasn't what I expected.

The market is genuinely large. The build is genuinely tractable solo. Payment rails, jurisdiction and headcount all turned out to be purchasable — a Delaware entity, a Dutch B.V., a filing fee. What killed it was distance: a real market you cannot reach is worth exactly as much as no market at all.

If you're standing where I was standing this morning, that's worth a day of your life. Take it.

// what I couldn't answer

6 questions I ran out of evidence on

Not rhetorical. If you know one of these — from having built in this market, sold into it, or bought from it — I'd like to hear it, and you get everything I have on this in return.

  1. 01Is the MSP white-label channel reachable without a partner org? Mailhardener sells the engine at €149/mo + €1/domain with a small team and a published price — but nobody publishes conversion. Does an MSP self-serve a per-domain API, or does that channel need a human in every deal?
  2. 02Why has EasyDMARC's '83,000+ organisations' not moved in ~22 months — after a $20M Series A — with headcount up only ~4% over the last 11 months? Either the number is stale marketing or growth stalled post-raise. Those imply opposite things.
  3. 03Whose adoption number is right? Vendors say 14.9%–52.1%. The one independent academic measurement says 6.6%. That's an 8x spread on mismatched denominators — the difference between a 5M-domain market and a 60M-domain one.
  4. 04Does jurisdiction actually sell, or is it a story vendors tell each other? Every vendor signal says yes. I could not find one buyer saying they chose for data residency.
  5. 05Is DMARCguard going to make it? Solo founder, Estonian entity, based in Indonesia, OSS parser as funnel, shipping daily — 4 G2 reviews at eight months. He's the live experiment for this exact thesis.
  6. 06Nobody in this category publishes ARR. dmarcian has been bootstrapped since 2012 — is that comfortable or trapped? The answer decides what 'boutique' means here.