PlainDMARC

Security & data handling

Last updated 2026-07-13. We are in the waitlist phase; items marked launch policy take effect when the monitoring product goes live.

This page describes only controls we actually have in place. Where something isn't built yet, we say so. No compliance badges, no claims we can't stand behind.

1. What DMARC aggregate reports contain — and don't

DMARC monitoring works by reading the aggregate (rua) reports that mailbox providers send about your domain. Those reports contain:

Aggregate reports do not contain message content, subject lines, or recipient lists. We will only ever request aggregate (rua) reports. We will never request forensic (ruf) reports, which can include message-level detail.

2. What we store today (waitlist phase)

3. Transport

All connections are served over TLS (HTTPS is enforced). This is handled by our web server (Caddy) with automatic TLS certificates.

4. Storage & location

We do not claim encryption at rest — that is not something we can verifiably guarantee on this infrastructure, so we won't say it.

5. Retention & deletion

6. No resale

We never sell or share your data with third parties beyond the processors named above (Resend for email delivery).

7. Who operates PlainDMARC

Questions or requests: hello@plaindmarc.com. Our operator's legal name and jurisdiction will be listed here once finalized.