OnDMARC
Award-winning, cloud-based DMARC, DKIM, SPF, MTA-STS and BIMI configuration, automation and management tool. Protect against phishing and BEC attacks by stopping unauthorised use of email-sending domains. Expedite time to enforcement by making it easy to audit existing email-environments using insightful DMARC reporting and powerful troubleshooting tools.
Features
- UK-headquartered and UK data residency
- Manage records without needing to access DNS with Dynamic Services
- Advanced SPF automation that overcomes the 10 DNS lookup limit
- Enriched forensic reports contextualise relevant information about your sending sources
- Instantly check if sending services are configured correctly
- Integrated BIMI with VMC
- Hosted MTA-STS
- Step-by-step implementation guidance
- API available for integrated management
- Hosted email protocol management
Benefits
- Protect reputation by authenticating legitimate senders and blocking unauthorized mail.
- Implementation of DMARC, SPF, and DKIM within 6 weeks
- Get visibility into all outbound mail sent from your organization.
- Comply with email security recommendations made by global government bodies.
Pricing
£0.58 to £140 a user
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
4 1 3 5 6 8 6 3 6 7 8 5 5 1 6
Contact
Red Sift Ltd
Billy McDiarmid
Telephone: 07764754129
Email: billy.mcdiarmid@redsift.io
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
-
We operate a continuous development delivery model for
most updates. For maintenance:
Planned maintenance - notifications are sent 1 week before.
Emergency maintenance - notify as soon as possible (for any service degradation). - System requirements
- Access to DNS or collaboration with team that manages DNS
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Customer support runs from 8am-6pm local UK time Monday to Friday. Response times vary by severity, and 24/7 support is included for Level 1 severity cases.
Level 1 - 1 hour.
Level 2 - 8 hours.
Level 3 - 1 business day.
Level 4 - commercially reasonable efforts during regular support hours. - User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- Web chat
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- None or don’t know
- How the web chat support is accessible
- Web chat is available as a method of contact directly from the Red Sift platform. Our website and community portal are as accessible as possible by using clear and concise language, structured headings, and supportive visual aids. We are committed to enhancing the accessibility of our documentation and have plans to conduct formal reviews and redesigns in accordance with accessibility guidelines. Future steps include consulting with accessibility experts and incorporating feedback from users with disabilities to continually improve the usability of our channels. We are dedicated to making our documentation accessible to every user, reflecting our broader commitment to inclusivity in all our services.
- Web chat accessibility testing
- Web chat testing with assistive technology users has not yet been carried out.
- Onsite support
- Onsite support
- Support levels
-
Enterprise support provides:
A named Customer Success Manager (Account Manager);
A named Customer Success Engineer (Technical Account Engineer/Manager);
Online Case Logging;
Chat Support;
Phone Support;
Product Documentation that's continuously updated;
Knowledge Base that's continuously updated;
Enhanced Service Levels;
Access to Sift Space, the Red Sift Customer Community;
Bespoke Onboarding & Implementation;
Executive Business Reviews;
Technical Reviews;
Annual Account Health Check Review;
Customer Listening Program;
Essentials support provides:
Online Case Logging;
Product Documentation that's continuously updated;
Knowledge Base that's continuously updated;
Basic Service Levels;
Access to Sift Space, the Red Sift Customer Community;
Self-Guided Onboarding & Implementation;
Customer Listening Program. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
You will start using the service with a kick-off meeting (organised by your named Customer Success Manager) where your success plan and implementation project and preparation phase will begin.
We will provide you with our blueprint GANTT chart and RACI Matrix, which can be configured to suit your Implementation.
You will be assigned a Customer Success Engineer (CSE) to assess the implementation activities' scale and contribute to the planning stages and estimated timeframe.
User documentation is provided through our application, our Knowledge base, and our online community SiftSpace meaning you can pick which is most convenient.
You have a choice of online or onsite training which will be scheduled at times suitable to you. Pre and post implementation you will be able to request training when required.
During this process you will be given access to the application so that you can start the configuration steps required. - Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- Upon request by Customer made either before or within thirty (30) days after the effective date of expiration or termination of this EULA (or an Order Form), Red Sift will make available to Customer a complete download of the associated Customer-Provided Technology and User Data in its then-current file or database format, or as such other format as the parties may agree in writing. For clarity, any Services provided by Red Sift to Customer, including the downloading set out above, and any assistance in exporting the User Data, will be billable at Red Sift’s then-current time and materials rates. Customer agrees that Red Sift will not be liable to Customer, any Authorised User, or any other third party for any cessation of access to the Services or Red Sift Products following the expiration or termination of this EULA or any Order Form, including for any damages arising out of any party’s reliance on the continued availability of the Services or Red Sift Products.
- End-of-contract process
-
Users can cancel their agreement at the end of each contracted period with 30 days notice or automatically renew their agreement.
If a user choose to cancel their agreement, it will end on the last day of the contract period. There are no additional costs to extract data before the end of the contract period.
All service data will be deleted upon termination/cancellation of the contract if requested by the customer, otherwise data is deleted at 12 months.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- No
- Service interface
- Yes
- User support accessibility
- None or don’t know
- Description of service interface
- The OnDMARC interface includes an executive dashboard offering a comprehensive view of an organisation's domains and their configurations, including information about their DMARC status (none, quarantine, reject), total emails sent across domains, and MTA-STS and BIMI configurations. It includes a suite of comprehensive DMARC reporting tools including forensics, sending sources, and performance, including recommended actions to resolve any sending or configuration difficulties. An MTA-STS reporting and dynamic configuration interface is also included, alongside an integrated BIMI and VMC management dashboard.
- Accessibility standards
- None or don’t know
- Description of accessibility
-
We ensure basic accessibility through features such as straightforward navigation and clear, readable fonts. We are committed to improving accessibility and are planning steps to incorporate accessibility testing and design improvements. Our future initiatives include consulting with accessibility experts and engaging directly with users who have disabilities to gather valuable feedback and guide our enhancements.
We recognise the importance of making our services accessible to all users, and are actively working towards making inclusivity a core aspect of our service development. - Accessibility testing
- Analysis has already started and Red Sift is aware of the improvements that need to be made in the service interface to meet accessibility requirements.
- API
- Yes
- What users can and can't do using the API
-
OnDMARC includes full API access via our RESTful API to allow you to manage OnDMARC administration and reporting functions from your own environment.
Our APIs allow you to
Add, configure, manage, and change all sending domains individually and in bulk through a variety of useful calls;
Configure alerting for a variety of parameters;
Build and retrieve all reporting that is available in OnDMARC;
Retrieve audit logs regarding activity. - API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- API sandbox or test environment
- Yes
- Customisation available
- No
Scaling
- Independence of resources
- The Red Sift Pulse Platform is built for high-scalability. There are no performance limitations on the usage of the service. The service is designed to be scalable and cope with peaks of processing demands. We support an unlimited amount of volume.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
OnDMARC provides a wide range of service metrics including
Sending domains by status - reject, quarantine, none, no policy.
Passed DMARC.
Passed DKIM.
Passed SPF.
Configuration status of domains.
Volume of emails send by sending source.
Top sending domains.
DMARC compliance rate.
Sender reputation score. - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- User can download their data and reports directly from the application or by using the API.
- Data export formats
-
- CSV
- Other
- Other data export formats
- JSON
- Data import formats
-
- CSV
- Other
- Other data import formats
- JSON
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
Red Sift will provide customers access to the SaaS production application on a twenty-four-hour, seven days a week (24x7) basis at the product-specific rate of 99.9%.
The Uptime Metric obligation commences on the Go Live Date.
“The Go Live Date” is when Red Sift has concluded end-user testing, Red Sift has prepared the production environment and made it available to the customer.
On a monthly basis, the Uptime Metric will be measured using the measurable hours in the month (total time minus, if applicable, scheduled maintenance) as the denominator. The numerator is the denominator value minus the time of any S1 outages in the month (duration of all S1 outages combined) to give the percentage of available uptime. An “outage” is defined as an S1 issue continuing at least five minutes until the condition has cleared, a workaround has been provided, or the issue has been downgraded to an S2.
Service credits, if required as part of a contract, can be negotiated on a case by case basis. - Approach to resilience
- We operate different availability zones, within the primary data centre. We have a geographically distributed cluster infrastructure with dual redundancy via warm clusters to provide maximum availability. Full backup snapshots are taken every 45 mins. Backups are hosted on a resilient NFS-based object storage. A scalable microservices architecture with a persistent job queue provides resilience and fault tolerance to most planned and unplanned outages.
- Outage reporting
- Outages will be reported by an email alert and a notice placed in our customer community.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Identity federation with existing provider (for example Google Apps)
- Access restrictions in management interfaces and support channels
-
Red Sift supports user permissions inside the application and different users can be given different levels of access to the application, and this method is used to restrict access to management and administration interfaces with observer roles available.
Similarly RBAC is used in our support channels with validation steps in place in the different support channels. - Access restriction testing frequency
- At least every 6 months
- Management access authentication
- Identity federation with existing provider (for example Google Apps)
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- A-Lign
- ISO/IEC 27001 accreditation date
- 09/04/2024
- What the ISO/IEC 27001 doesn’t cover
- There is nothing not covered by our ISO/IEC 27001 certification. Our scope covers all services, locations, operations and people, since first certification in 2017.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
- SOC 2 Type 2
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- Red Sift selected ISO 27001 compliance as its standard and foundation for information security and applies and maps other information standards, frameworks, and regulations to the principles of this Information Security Management System (ISMS) and the principles of ever-evolving continual improvement. Our ISMS has clear objectives with the following supporting policies: Classification & Handling; Asset Management & Acceptable Use; Access Control; Third-Party Management; Secure Development; Incident Management; Business Continuity; Competence and Awareness; Risk Management; Compliance. We run and check our ISMS internally throughout the year, with two Information Security Committees, two risk reviews, and an internal audit program. Every year we are externally assessed by a number of professional bodies to check we still align with ISO27001, SOC2, and other relevant security standards that we map our ISMS to. We ensure this is adhered to through our Competence and Awareness policy which defines the requirements for existing and new members of staff. The Information Security Manager, currently the CTO, is responsible for ensuring the ISMS conforms to the requirements of the ISO 27001:2022 and other relevant standards and will be ultimately responsible for the management of the ISMS and reporting on it to interested parties.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- Our Secure Development Policy and ISMS processes operate a continuous delivery model. There are a number of layers of change management and verification processes that track components during their lifetimes and ensure the security impact of changes are assessed. The steps are: Security requirements are built into the design phase; Secure coding practices; Story creation; Sprint planning; Refinement; Assignment; Design; Security Review; Implementation; Documentation; Review; Dependency Review; QA; Deployment to staging; Deployment approval; Deployment to production; Post deployment monitoring and devops; Prioritisation of security issues and user-facing issues that have an impact post deployment; Security training.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
Vulnerability scans on our infrastructure are run monthly.
We run a Disclosure Process rewarding independent consultants for responsibly disclosure of vulnerabilities.
Infrastructure is based on microservices, running inside of containers get checked for vulnerabilities at build.
Source code is hosted on Github. Dependabot is enabled on projects to report outdated or vulnerable dependencies.
We obtain information about technical vulnerabilities through mailing lists and other sources.
An accredited third-party performs an annual pen-test.
All vulnerabilities identified from these methods are managed in our vulnerability management process, tagged 'high' or 'low', and remediated as soon as possible, within 1 week or sooner. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- We have pattern-based alerts configured in Datadog to alert us about anomalous activity. Alerts are received in our slack channel are assessed, analysed and actioned. Out of hours is covered by a 24/7 schedule with critical alerts being sent to PagerDuty. We also log all accesses to our production systems and have alerts setup for these for forensic purposes.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
Our incident management process follows the SANS institute PICERL model which includes pre-defined processes for common events.
Users must report any security related incidents, events or weaknesses immediately for management attention by internal messaging. Those coming from third party suppliers will be raised by users in the same way. We also have anomaly detection alerts setup for unusual activity in the systems.
Lessons learnt from incidents are logged in the same way and in the same project as a corrective actions but might be tagged different depending on the action.
Incidents have a formal report written and are logged separately.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Covid-19 recovery
- Tackling economic inequality
- Equal opportunity
- Wellbeing
Fighting climate change
Red Sift is committed to minimising the energy taken in, the waste it discharges and the resources it needs as it understands the consequences on the environment and its responsibility to fighting climate change.
Red Sift is committed to achieving Net Zero emissions by 2030 and has completed steps to towards this already. We complete an annual
report through our partners at TRACE to evidence our progress.
We action this through our environmental policy.
Red Sift is committed to the reuse of software media products where applicable, particularly where products can be recycled for our own internal use.
Red Sift complies with all current legislation on environmental issues.
Red Sift has appointed an environmental officer with specific responsibilities to minimize risks.
Red Sift ensures that the disposal of waste products is done in a safe manner to minimize any possible pollution.
Red Sift, with its suppliers and customers, will strive for the best possible environmental practices, such as the promotion of recycling and minimisation of waste in all areas.
Red Sift Health and Safety Policy identifies the use of safe practices and avoids the unnecessary use of hazardous materials and processes, and shall take all reasonable steps to prevent damage to either public or ecological health where such materials are in essential use.
To continue to ensure the improvement and prevention of pollution by continuing to use proprietary disposal agencies and where possible to reduce the use of utilities.
To review our environmental objectives and targets annually.
Red Sift monitors this policy and ensures that it is in line with current legislation.Covid-19 recovery
Our solution bolsters the COVID-19 recovery effort by helping organisations to secure remote work environments, essential for organisations adapting to new digital workflows. We support sustainable recovery by helping organisations safeguard data and infrastructure, minimising the risk of attacks and therefore maintaining business continuity. Our platform also facilitates compliance with health guidelines through secure management of remote work tools, contributing to safer workplace conditions and remote work.Tackling economic inequality
Red Sift contributes to creating new businesses, jobs, and skills in a number of different ways. By offering scalable security solutions, we enable entrepreneurship and support the growth of new, small organisations, fostering economic development and innovation. Our platform educates and enables small business and industries that lack cyber security experience by democratising critical security features, making them available to a much wider audience, helping people transition into high-demand, tech-oriented roles.
Internally we're committed to enhancing educational attainment through supported training schemes that address existing skills gaps, and equipping individuals with recognised qualifications.
We support the development of a diverse supply chain by enabling new businesses, start-ups, and SMEs to adopt advanced security without significant upfront investment. We work with the supply chain to source and develop innovative, scalable solutions that modernise delivery methods. increase productivity, and bring innovation to our customers, ensuring that all partners, regardless of size, can maintain high-quality, cost-effective services. Our collaborative approach fosters a fair and responsible partnership ethos, enhancing the entire supply chain's ability to manage disruptions and maintain continuous operations. We work together, sharing our applications with the supply chain to help them enhance their resilience and capacity by integrating robust security measures that safeguard data and systems across their organisation, mitigating cyber risks.Equal opportunity
Through our diversity and inclusion policy we are committed to promoting equality, accommodating diversity, and ensuring nondiscrimination for both our employees and our customers. We seek to fulfil and go beyond our legal obligations. We are an employer who supports and celebrates a diverse workforce.
We have identified three key objectives necessary to achieving our aims and to implement our commitments:
Promote an inclusive workplace for the diversity of our employees.
Provide a diversity-friendly service to our customers.
Communicate our commitment to equality, diversity and non-discrimination to the companies we work with.
These objectives provide the framework for developing an annual action plan to give full effect to this policy. This annual action plan will set out the specific steps we will take each year to progress these objectives.
We will continue to
Use recruitment and promotion procedures that are competency based, prevent discrimination, take account of diversity, and promote equality.
Support a management culture at all levels of the organisation that is alert to discrimination and harassment, open to and flexible in response to diversity and committed to equality.
Make reasonable accommodation for employees with a disability or who acquire a disability, and offer flexibility in taking account of the practical implications of diversity across the nine grounds covered by the equality legislation.
Sustain a workplace culture that fosters teamwork and inclusiveness, that celebrates diversity, and that challenges stereotypes.
Communicate and implement procedures that are effective in responding to any complaint from employees of discrimination or harassment.Wellbeing
Red Sift has an obligation to monitor and improve the health and wellbeing and welfare of staff and contractors and takes this seriously.
We have many wellbeing strategies in place including
- Employee Assistance Programme
- Healthcare
- Coaching platform
- Wellbeing training programs
- Physical health plans including gym memberships and subsidies for all employees
- We provide healthy breakfast and snack options to employees.
Performance is monitored through the use of appropriate metrics such as wellbeing surveys, eNPS surveys and continuous improvement takes place.
Pricing
- Price
- £0.58 to £140 a user
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- A time limited proof of concept is available. The time available would be determined on a case by case basis.