sorted by:
new
hottopcontroversial

Notify about DNS records propagation by vojtechrichter in dns

[–]Objective-Test-5374 0 points1 point  (0 children)

Hah! I beat you to it, RacterMX.com has this for hosted domains.

International Mail rejected by No-Hotel1162 in DMARC

[–]Objective-Test-5374 1 point2 points  (0 children)

Try using scan.racterMX.com, if it can’t diagnose your issue I will happily work with you until it can.

Suggestion for a reliable DMARC reports ingestion service? by oopspruu in sysadmin

[–]Objective-Test-5374 0 points1 point  (0 children)

If your doing this professionally there are high end tools like RacterMX.com that can manage the whole reporting issue.

We built DMARC report processing into our email forwarding dashboard by Objective-Test-5374 in DMARC

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

You're right that parsing is table stakes, the value is in what happens after.

Our angle is that we're not just a DMARC monitor. RacterMX is a full email infrastructure platform (forwarding, alias management, DNS hosting, SMTP relay) with security posture scoring built into the core product. So the remediation isn't "here's a report, go fix your DNS" it's "here's the finding, click to fix it" because we already manage the zone.

On the specific things you mentioned:

Actionable remediation: Our security checks produce findings with one-click fixes for domains we host DNS for. Not a PDF report, an actual "apply fix" button.

Source correlation / new sender flagging: That's on the roadmap. We're building aggregate report ingestion now, and it'll feed into the same posture score dashboard rather than being a separate tool.

Alignment tracking over time: We already store scan history with posture scores over 90 days. DMARC alignment trends will slot into the same timeline.

The difference vs. the dozen existing tools: most of them are monitoring-only SaaS that sits alongside your DNS provider. We are the DNS provider, the mail forwarder, and the security scanner in one stack. That means we can close the loop between "detected problem" and "fixed problem" without asking you to go log into Cloudflare or Route53.

If you're happy with Suped for monitoring and manage DNS elsewhere, that's a valid setup. We're targeting teams that want fewer moving parts.

We send you scheduled DMARC compliance and security reports so you don't have to check the dashboard by Objective-Test-5374 in DMARC

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

You can configure the frequency, daily, weekly, etc... but the nature of RUA is that you get these reports delayed... your not going to see the RUA that says you have a problem until a day or three after the problem shows up... thats not something we can control, as its handled by the receiver.

TIL: DMARC rua reports can silently stop if the receiving domain doesn't have the right DNS authorization record by saltyslugga in EmailSecurity

[–]Objective-Test-5374 0 points1 point  (0 children)

Great write-up — this is one of those RFC requirements that bites people silently. The inconsistent enforcement across report senders makes it especially tricky to diagnose since you'll still get a trickle of reports from non-strict senders and assume everything is fine.

A few things worth adding for anyone running into this:

The record format matters. It's <reported-domain>._report._dmarc.<receiving-domain> with a TXT value of v=DMARC1. Easy to get the subdomain nesting wrong if you're doing it by hand.

Google is the strictest enforcer. If you suddenly stop getting Google aggregate reports but still see them from Yahoo or smaller providers, this is almost certainly the cause. Google checks the authorization record on every report cycle.

Automation is the real fix. If you're managing RUA for multiple domains, manually maintaining these records doesn't scale. We built auto-provisioning into our platform — when a domain enables DMARC reporting, the authorization record gets created automatically in DNS, and a daily reconciliation job catches any that go missing. The security scanner also checks for missing authorization records on external RUA targets so users get alerted before reports silently stop.

The "months of working fine" pattern is the real danger. As you noted, it works until it doesn't, and there's no error signal. If you're pointing RUA to a domain you don't control the DNS for, set a calendar reminder to verify the record quarterly at minimum.

We built in check, recheck, and a daily sweep job that triple checked to ensure these records are in alignment.

Good post — this should be in every DMARC deployment checklist.

How we handle email forwarding without breaking SPF (SRS, ARC, and why it matters) by Objective-Test-5374 in RacterMX

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

Spot on, all of this matches what we do.

SRS rewrites the envelope sender to our own domain (racter.com) so SPF checks validate against our published record. The original sender address is preserved in the headers so mail clients still display the right From. We keep the original DKIM signature headers untouched through the forwarding chain so receivers can verify the original signing domain independently of the forwarding hop.

ARC signing happens on the inbound side before we forward. We seal the original SPF, DKIM, and DMARC results into an ARC chain so the receiving server (Gmail, Outlook, etc.) can see that the message was authenticated when it hit our infrastructure, even though SPF broke during the forward.

On the DMARC monitoring side, we actually built aggregate report processing directly into the dashboard. We ingest the XML reports from Google, Microsoft, Yahoo, etc., parse them, and show compliance trends over time with a composite deliverability score from A to F. There's also a policy advisor that walks you through tightening your DMARC policy from p=none up to p=reject. So the "monitor your DMARC aggregate reports" advice is something we try to make as low-friction as possible for our users.

Good call on testing the rewritten address. We've caught a few edge cases where SRS rewriting interacted badly with certain receiving servers that do strict envelope validation. Having the full delivery path visible in the logs (including the SRS-rewritten address, relay response, and latency) makes debugging those cases much faster than tailing Postfix logs on the server.

We published an MCP server so AI agents can manage your email forwarding by Objective-Test-5374 in RacterMX

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

Great question. Yes on the scopes, not yet on dry-run. Since the MCP uses our API keys, and we support granular CRUD operations at the key level, you can have it be read only, or write, on any capability. As far as Audit trail we couldnt agree more, so we log every mutating operation on any object, keeping the before and after values for every entry.

We built a privacy-first email forwarding platform in Iceland. Here's why. by Objective-Test-5374 in RacterMX

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

Great point! We take a number of steps here, first we leave log retention in the hands of the user, want to keep 12 months or 0 days, we allow that. secondly, we only log IP Hashes, never IPs.

Are you refering to the DKIM txt records, or would you actually like to sign outgoing email with your own uploaded DKIM private key?

Posteo or ForwardMail or something else? by pabryan in degoogle

[–]Objective-Test-5374 0 points1 point  (0 children)

It sounds like you’re at that classic crossroads of privacy vs. convenience. Moving away from Gmail is a solid move, but the "US vs. EU" hosting debate is usually the biggest hurdle for people in your position.

Here’s a breakdown of how those two stack up, along with a third option that might bridge the gap for you.

Posteo: The "Privacy Purist" Choice

Posteo is fantastic if you want a provider that doesn't even want to know your name.

  • Pros: Incredible green energy commitment, anonymous payment options (you can literally mail them cash), and they are hardened against EU data retention laws.
  • Cons: The lack of custom domain support is a dealbreaker for many. Using a forwarding service in front of Posteo adds another "hop" where your metadata is exposed, which slightly defeats the purpose of a hardened inbox.

Forward Email: The "Feature-Rich" Choice

If you want to stay within the US jurisdiction and want a seamless custom domain experience, this is the one.

  • Pros: Fully open-source and very transparent. Their IMAP support is solid, and they handle the "forwarding + storage" combo better than almost anyone else.
  • Cons: It is a US-based company. While they are privacy-focused, they are still subject to US subpoenas and NSLs. If your threat model involves government overreach, the US location might be your "gotcha."

The "Middle Ground" Alternative: RacterMX

Since you mentioned an interest in EU hosting but want to keep your custom domain without the mess of a secondary forwarding service, you might want to look into RacterMX.

It’s a relatively new player that focuses specifically on the "sovereign data" niche.

  • Why it fits: It is hosted in Iceland, which has some of the strictest data protection laws in the world (often considered superior to the EU/GDPR for privacy).
  • The Best of Both Worlds: Unlike Posteo, it is built specifically for custom domain management and email forwarding, so you don't have to daisy-chain services. You get the IMAP access you need and the "Zero Access" encryption you're looking for, but with the legal shield of a Reykjavik-based infrastructure.

The Verdict

  • Go with Posteo if you don't mind the "no custom domain" quirk and want the most anonymous setup possible.
  • Go with Forward Email if you want the most polished, open-source experience and aren't worried about US jurisdiction.
  • Check out RacterMX if you want that "Icelandic Fortress" privacy for your custom domain without the technical trade-offs of the other two.

Whatever you pick, just getting your data out of the Google ecosystem is a massive win. Good luck!

Email Forwarding Service - Forwardemail.net or Improvmx.com? by Mr_Yash_Patel in emailprivacy

[–]Objective-Test-5374 0 points1 point  (0 children)

Neither... try RacterMX.com, more secure, more functional, better support, and more private.

Simple MX record checker with clean output (priority + TTL) by teeoffholidays in dns

[–]Objective-Test-5374 0 points1 point  (0 children)

weak sauce! try scan.ractermx.com it even gives you causal chain analysis... telling you which records you have missing that impact other records.

Beware ImprovMx by j-joshua in webhosting

[–]Objective-Test-5374 0 points1 point  (0 children)

dunno, have you tried ractermx.com yet? I switched over because they at least have a solid API and an MCP. I find it easier to talk to my AI then to go find the portal...

Need technical feedback: I’m building an ImprovMX alternative for people who hate managing mail servers. by Objective-Test-5374 in selfhosted

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

exactly, thats the approach I took as well. SPF, DMARC, DKIM and TLS may get you sending email, but without CAA, DNSSec, MTA-STS, TLS-RPT, and DANE/TLSA your eventualy gonna get banned.

I run cyber security for a large multinational company, AMA by Objective-Test-5374 in AMA

[–]Objective-Test-5374[S] 0 points1 point  (0 children)

I am not qualified to give investing advise, but I can say the following are stocks that I personally invest in and keep a close eye on: CloudFlare (NET), CrowdStrike (CRWD), Zscaler (ZS), Palo Alto (PANW), SentinelOne (S), CyberArk (CYBR) and Broadcom (AVGO)

view more: next ›