Built for Microsoft 365

Enterprise DMARC visibility.
Not enterprise pricing.

Someone could be sending phishing emails pretending to be you right now. DMARC stops that. Sentura ingests your DMARC reports, maps every sender, and guides you from p=none to p=reject — for a fraction of what the big platforms charge.

Start free 14-day trial Book a demo
No credit card  ·  Cancel anytime  ·  Setup in under 10 minutes
Domain posture
acme.com
SPF DKIM p=none
mail.acme.com
SPF DKIM no record
Enforcement path — acme.com
p=none
p=quarantine
p=reject
Readiness score
78%
Classifies senders from Microsoft 365 SendGrid Mailchimp HubSpot Zendesk DocuSign Proofpoint Mimecast + dozens more
How it works

From blind to protected in three steps

No agents. No mailbox. No MX changes. Publish one DNS record per domain and Sentura does the rest.

1

Monitor

Publish your domain's Sentura reporting address (we generate it — [email protected]) as your DMARC rua= record. Reports flow straight to Sentura — no mailbox, no forwarding.

2

Classify

Every sender is identified against a global provider library and corroborated by DKIM signatures, reverse-DNS, and cross-tenant intelligence — so classifications hold up even when an IP catalog is stale. Unknown sources are flagged for review.

3

Enforce

Once every sender is classified, Sentura gives you a clear readiness score and guides you safely from p=none to p=quarantine to p=reject.

Features

Everything you need.
Nothing you don't.

The big DMARC platforms are built for Fortune 500 teams with dedicated security engineers. Sentura is built for the IT admin managing everything.

Direct report delivery

Publish your per-domain Sentura address and reports arrive automatically — no mailbox, no forwarding rules, no shared credentials. (Microsoft Graph mailbox polling remains available as a legacy option.)

Automatic sender classification

Every source IP matched against a global provider library. Microsoft 365, SendGrid, Mailchimp — identified by name, not just IP address. Unknown senders flagged immediately.

Enforcement readiness scoring

A live readiness score per domain. Know exactly what's blocking you from p=reject — and get a clear signal when it's safe to tighten policy.

Spoofing detection and alerts

New unknown senders, failure spikes, and previously passing senders that start failing — all surfaced immediately with actionable alerts.

Multi-domain dashboard

All your domains in one view. SPF, DKIM, and DMARC health checked live. Sender inventory, trend charts, and failure drill-down — no switching between tools.

As-built .docx reports

Generate a professional email authentication posture report in one click — ready for audits, compliance reviews, or presenting to leadership.

Sentura shield
Why Sentura

More included. Transparent pricing.
No add-ons. No surprises.

The big platforms gate enforcement features behind add-ons or "contact sales" pricing. Every Sentura plan includes the full feature set — you only pay more for more domains.

Sentura dashboard
Feature Sentura Provider A Provider B Provider C
Starting price$19/month$19/month$8/month$35.99/month
Enforcement readiness included✓ all plansPaid upgradeAdd-onHigher tier
As-built reports included✓ all plans
Entra ID native authentication
Pricing modelPer domainVolume-basedVolume-basedVolume-based
Transparent public pricingContact salesPartial
Multi-tenant management✓ BusinessEnterprise onlyPaid add-on
Pricing

Simple, domain-based pricing.
No volume traps.

Pay per domain, not per email. Your bill stays flat whether you send 10,000 or 1,000,000 emails a month. Every plan includes the complete feature set.

Pricing
Starter
$19/month
For small organisations getting visibility into their email authentication posture.
3 domains
2 users
Direct + manual ingestion
Sender classification
SPF / DKIM / DMARC health
Enforcement readiness scoring
Alerts and notifications
As-built .docx reports
90-day data retention
Start free trial
Most popular
Pro
$59/month
For organisations managing multiple domains or needing longer data history.
10 domains
5 users
Everything in Starter
12-month data retention
Priority support
Start free trial
Business
$129/month
For MSPs and IT teams managing email authentication across multiple customers.
25 domains
10 users
Everything in Pro
Multi-tenant management
White-label reports
24-month data retention
Dedicated onboarding
Start free trial

All plans include a 14-day free trial. No credit card required. Annual billing saves 20%.

14-day free trial  ·  No credit card

See who's really sending
on your behalf.

Publish your DMARC record in minutes. Your first reports arrive within 24–48 hours,
as mail providers send them — then your senders are classified automatically.

Start free trial Book a demo
FAQ

Frequently asked questions

What is DMARC?+
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that lets domain owners tell receiving mail servers what to do with messages that fail SPF and DKIM checks. It also provides a reporting mechanism so you can see who is sending email on behalf of your domain — including attackers trying to spoof it.
Why is p=none not enough?+
A DMARC policy of p=none tells receiving servers to take no action on failing email — it only generates reports. This means spoofed emails pretending to be from your domain are still delivered to inboxes. p=none is a necessary first step for visibility, but you need to move to p=quarantine or p=reject to actually stop spoofing. Sentura helps you make that transition safely by classifying every sender first.
What is SPF?+
SPF (Sender Policy Framework) is a DNS TXT record that lists all the mail servers and services authorised to send email on behalf of your domain. When a receiving server gets an email, it checks the sending IP against your SPF record. If the IP is not listed, the check fails. SPF has a limit of 10 DNS lookups, so managing it carefully is important as you add more services.
What is DKIM?+
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The receiving server uses a public key published in your DNS to verify the signature. If the signature is valid, it proves the email was not tampered with in transit and was genuinely sent by an authorised system. DKIM works alongside SPF and is required for DMARC alignment.
How long does DMARC enforcement take?+
It depends on how many services send email on your behalf and how quickly you can classify them all. For a simple domain with one or two senders, you could move to p=reject within a few weeks. For a typical domain it takes about 4 weeks: a couple of weeks of monitoring at p=none, followed by a gradual rollout through p=quarantine to p=reject. Sentura tracks your readiness score in real time so you know exactly when it is safe to tighten policy.
How does Sentura handle multiple domains?+
Each domain gets its own Sentura reporting address ([email protected]). Add each domain in Sentura, publish its address, and we separate the data automatically. No mailbox, no shared inbox — one record per domain.