// SPF synthesis + DMARC analytics

Never hit the 10-lookup limit again. See everyone sending as your domain.

UglyDMARC synthesizes per-IP SPF answers from a pre-flattened include tree — so every receiver gets a clean, passing record no matter how many ESPs you run. Pair it with full DMARC aggregate reporting and you have a safe path to p=reject.

Get started How it works
Live synthesis 
# The receiving MTA expands your SPF macro and queries UglyDMARC
$ dig TXT 4.3.2.1.in-addr.acme-corp.com.spf.uglydmarc.com

;; QUESTION SECTION:
;4.3.2.1.in-addr.acme-corp.com.spf.uglydmarc.com.  IN  TXT

;; ANSWER SECTION:
4.3.2.1.in-addr.acme-corp.com.spf.uglydmarc.com.  10  IN  TXT  "v=spf1 ip4:1.2.3.4 -all"

;; Query time: 1 msec
;; MSG SIZE  rcvd: 128

# One include. One IP. Always within the lookup limit. Always passing.
// the problem

Two ways email authentication quietly breaks

Neither sends you an alert. Both erode your deliverability and expose your domain.

RFC 7208 § 4.6.4

The 10-lookup limit

SPF allows at most 10 DNS lookups per evaluation. Add Google Workspace, Microsoft 365, SendGrid, Mailgun, and a transactional service and you've already blown past it. The receiver returns permerror — which DMARC treats as an SPF fail. Mail silently misses SPF alignment. This gets worse every time you add a vendor.

  • Each include:, a:, mx:, ptr: burns a lookup
  • permerror = SPF fail in DMARC evaluation
  • Failures are invisible until you check DMARC reports
  • Flattening-by-hand breaks on the next TTL expiry
🔍 DMARC visibility gap

You can't see who's spoofing you

Without DMARC aggregate reports collected and parsed, you have no idea which IPs are claiming to send as your domain — whether they're legitimate senders you forgot about, misconfigured services, or outright spoofing attempts. p=none protects nothing. But moving to p=reject without visibility will break legitimate mail.

  • ISPs send RUA reports to your designated address
  • Raw XML is unreadable at scale
  • Every unknown source is a potential spoofing vector
  • Without data, enforcement is a guess
// how it works

One include. Unlimited senders. Zero lookup errors.

You publish one record. UglyDMARC handles everything else — before the MTA ever queries.

Step 01

Publish one include

Replace all your vendor includes with a single UglyDMARC macro include. One record, root of your entire sender tree.

Step 02

We flatten the tree

In the background, UglyDMARC recursively resolves every include: in your chain — Google, SendGrid, Mailgun, and all the rest — into a flat CIDR set. Refreshed automatically before TTLs expire.

Step 03

Per-IP answers, always

When a receiver queries for a sender IP, we look it up in the cached set in O(1) and return a minimal single-IP record. One lookup. Always within the limit. Always correct.

Full technical explainer →
// features

Built for teams who take email security seriously

SPF Synthesis

No more lookup limit

Pre-flattened CIDR sets answer every query in under 2 ms. Add unlimited ESPs and senders — the lookup count stays at 1 for the receiver, always.

📊 DMARC Analytics

Full DMARC visibility

RUA aggregate reports are sent straight to UglyDMARC and parsed into dashboards showing SPF/DKIM pass rates, alignment, source IPs, and ESPs for every domain you manage.

🔎 Multi-domain Search

Search across all domains

Cross-domain DMARC record search with predicate filters. Find a specific IP, ESP, or sending source across every domain in your account at once.

🔔 Alerts

Get notified on anomalies

Set alerts on SPF/DKIM failures, new unknown senders, pass-rate drops, and DNS record changes. Know before your users do.

🏢 MSP-Ready

Built for managed services

Multi-tenant from the ground up. Manage hundreds of customer domains from one console, with pooled licensing, per-customer caps, and delegated role-based access.

🔌 API Access

Automate everything

Full REST API for domain management, DAG rebuild triggers, and report data. Integrate UglyDMARC into your provisioning and monitoring workflows.

// who it's for

Designed for the people who own email deliverability

IT Teams

End the SPF firefighting

Every time a new vendor gets added, someone has to manually re-count DNS lookups. UglyDMARC removes that constraint entirely. Add Google, Microsoft, Salesforce, and ten more — it still works.

Security Teams

Close the DMARC blindspot

Get full visibility into what's sending as your domain before you tighten policy. Move from p=none to p=reject with confidence, backed by actual sending data — not guesswork.

MSPs & Resellers

Scale across your entire book

One console for all your customers' domains. Pooled licensing with per-customer caps, co-branding, and the bulk visibility you need to offer email security as a managed service.

MSP & reseller details →
// get started

Stop counting lookups. Start enforcing DMARC.

UglyDMARC handles the complexity so you can focus on securing your domain — not debugging SPF records.

Get started ↗