DMARCER
Sign in Get started
Security & trust

Built to protect the data you trust us with

Email-security reporting means handling sensitive data about your domains and your people. DMARCER is engineered so that data stays in its own region, is seen only by who should see it, and every access is accountable — GDPR-friendly handling for a business, clean separation for an MSP across every client.

6

Data regions worldwide

MFA + RBAC

Least-privilege access to every record

Audited

Every access and change, logged

Two duties, one design

To monitor your email security, DMARCER receives and stores reports about mail sent in your name. Some of that – particularly failure (forensic) reports – can contain personal data: subjects, recipients, message headers. Handling it carelessly would create exactly the risk you came to us to reduce. So security and data protection aren’t a bolt-on; they shape how the platform is built.

The same design serves two audiences at once. For a business, it means GDPR-friendly handling out of the box – data kept in your region, seen only by the right people, and removed on a schedule you set. For an MSP, it means clean separation and accountability across every client you protect, with an audit trail to prove it.

The principles we build on

  • Least privilege – people get only the access their role needs, nothing more
  • Data minimisation – we hold what we need to do the job, and no longer than you allow
  • Accountability – meaningful access and change is recorded, so there’s always an answer to “who, what, when”

Your data stays in your region

DMARCER is built region-first, on our own infrastructure across seven regions worldwide. You choose where a customer’s data lives, and the reports for that customer are received and stored in that region – not pooled into a single global store. A customer’s data is held in its own region and processed there.

For organisations with GDPR, NIS2 or DORA obligations, that’s residency by architecture rather than a promise on a marketing page. For an MSP serving clients in different jurisdictions, it means each client’s data can sit where that client needs it to.

  • Seven regions: UK, Ireland, US, Canada, South Africa, Singapore, Australia
  • A customer’s data stays in its own region
  • Reports never leave the region they’re received in
  • One management layer for control, regional stores for data

Our global footprint

Seven regions on our own infrastructure – so your data is processed close to home and stays in its jurisdiction.

Loading map…
Africa
Asia Pacific
Australia
Europe
United Kingdom
United States

Encrypted in transit and at rest

Traffic between you and DMARCER is encrypted in transit with modern TLS, so data can’t be read as it crosses the network. Sensitive material at rest – integration credentials, certificate private keys, secrets – is encrypted in storage, and once a credential is saved it’s never shown back to you in full.

Secrets are redacted in the interface and never written into audit logs, so the record of who did what can be kept and shared without leaking the very things it should be protecting.

  • TLS for all data in transit
  • Integration credentials and private keys encrypted at rest
  • Credentials never shown back in full once saved
  • Secrets redacted in the UI and excluded from logs

Only the right people, only their data

Access is governed by granular role-based access control, so each person sees and does only what their role allows – the least-privilege principle, applied to every record. Multi-factor authentication adds a second factor beyond the password and can be enforced across a whole tenant, so a stolen password alone is not enough to get in.

For an MSP, that separation matters most: each client’s data is isolated, and people are scoped to exactly the clients and domains they’re meant to work on – no accidental visibility across accounts.

  • Granular role-based access control
  • Least-privilege by default – access matched to the role
  • Multi-factor authentication, enforceable tenant-wide
  • People scoped to the clients and domains they manage

Every access and change is accountable

DMARCER keeps a comprehensive audit trail of access and changes – policy changes, integration activity, permission changes, and access to sensitive data – recording who did it and when. Because the record is complete, there’s always an answer when a client, an auditor or a regulator asks what happened.

Viewing a forensic report, which can contain personal data, is itself logged as a distinct access event – so looking at sensitive data is never invisible.

  • Actor, action and timestamp on meaningful events
  • Access to data logged, not just changes to it
  • Forensic (personal-data) access logged separately
  • Credential values never written to the log

Forensic data, handled with care

Failure (forensic) reports are the most sensitive data DMARCER holds, because they can carry personal data – subjects, recipients, headers. We treat them accordingly. Viewing them needs a dedicated permission, separate from ordinary reporting, so it’s a deliberate grant rather than a side effect of normal access. Every view is logged. And they’re deleted automatically on a retention schedule you control – from a few days to indefinitely – so data isn’t kept longer than you decide it should be. For a business that’s data minimisation made practical; for an MSP it’s a defensible, per-client retention story you can stand behind. See how forensic analysis works →

Compliance, checked continuously

Beyond how we hold your data, DMARCER continuously checks every domain against 90+ RFC-level compliance rules – the published standards that define correctly configured, trustworthy email. It’s the same engine behind your security score, and it means configuration problems are surfaced as they appear rather than discovered after something breaks.

On formal certifications – straight answer

We won’t claim what we don’t hold. DMARCER does not currently hold SOC 2, ISO 27001 or any other formal certification, and we won’t imply otherwise. What we do have is a platform built around recognised security principles – least privilege, encryption in transit and at rest, full auditability and data minimisation. As we achieve formal certifications, we’ll publish them right here.

Related across the platform

Forensic analysis →

How sensitive failure data is handled.

Continuous monitoring →

The engine checking 90+ rules.

For MSPs →

Separation and audit across every client.

About DMARCER →

Why we build the way we do.

See your domain’s security posture

Run a free check and get your score out of 100 in seconds – or talk to us about how DMARCER handles your data.

Check your domain
Free domain check

Check your domain security

See how your domain's security compares to your competitors.