Aggregate report parsing
DMARC RUA reports from every major provider are ingested and parsed continuously — XML you'd never read becomes per-source, per-day sending analytics.
Posture scoring
SPF, DKIM, and DMARC configuration is scored per domain. You see which domains are at enforcement, which are stuck at p=none, and exactly what's blocking the next step.
Spoofing analytics
Authentication failures are clustered by sender pool. A new pool failing SPF at volume is a spoofing campaign in flight — visible the day it starts.
Legitimate-sender mapping
Marketing platforms, CRMs, ticketing tools — every legitimate third party sending as you is identified, so the path to p=reject doesn't break payroll notifications.
Domain verification
Domain ownership is proven via DNS TXT challenge before data flows, so reports and analytics only ever attach to domains you control.
Phishing classification
Suspected phishing pages are live-probed and classified by a pure-Python heuristic — and confirmed phishing infrastructure flows straight into brand takedowns.
Point your RUA at CTP247
One DNS record per domain sends your aggregate reports to the platform. Domain ownership is verified by TXT challenge first.
Reports become analytics
Every report is parsed into per-source rows: who sent, how much, what passed SPF and DKIM, what aligned. History accumulates from day one.
Separate signal from noise
Legitimate senders get identified and grouped; unknown pools failing authentication get clustered and scored as potential spoofing.
Walk to enforcement
With every legitimate sender accounted for, you tighten policy — none, quarantine, reject — per domain, with data showing it's safe at each step.
Feed the takedown loop
Spoofing infrastructure identified here joins the same case fabric as brand hits — investigated, documented, and taken down through the same adapters.
Under the hood