From a DNS query to a verdict, in roughly four seconds.

Every tenant gets a unique rua= pointer on our ingest host in.mailstinger.com. Mailbox providers (Google, Microsoft, Yahoo, Fastmail, et al.) POST aggregate reports there as gzipped XML, delivered over SMTP. Postfix pipes each message to a receiver script that unpacks, validates, deduplicates, and writes rows into Postgres.

We're RFC 7489 for aggregate, RFC 6591 for forensic (ruf), RFC 8460 for TLS-RPT, and RFC 8689 for MTA-STS. Branded receivers on Agency+ tenants (e.g. rua.yourmsp.com) pass through the same pipeline under your subdomain.

Each record expands into (source_ip, header_from, envelope_from, dkim_result, spf_result, dkim_aligned, spf_aligned, disposition, message_count). These are raw — they don't tell you what's a threat and what's a Mailchimp misconfiguration. That's the next step.

Source IPs get reverse-resolved. Senders get grouped by PTR / ASN / matching ESP pattern. We maintain a 28-vendor ESP fingerprint dictionary — SendGrid, Mailgun, HubSpot, Klaviyo, Postmark, MailerLite, Google Workspace, Microsoft 365, and so on.

Here's where Mailstinger diverges from the dashboard pack. Each sender gets a verdict, not just a pass/fail:

• ● aligned_both — SPF + DKIM both aligned to header_from. Ship it.
• ● aligned_dkim / aligned_spf — one of the two passed alignment. DMARC compliant.
• ● misaligned_esp — neither aligned, but the source matches a known ESP. It's a config issue, not an attack.
• ● misaligned_suspicious — neither aligned, source unknown. This is the one that wakes you up.

Every tenant domain gets a daily sweep through a permutation engine: character swaps, TLD variants, homoglyphs, hyphen insertions, bitsquats. We resolve each candidate for MX and A records, then run a WHOIS lookup. Just-registered domains (< 7 days) auto-escalate to high risk regardless of MX status — because that's the classic BEC setup window.

Findings flow out to you as three exports: generic CSV, an M365 PowerShell snippet that pastes into Exchange Online, and a Google-Workspace Address-list CSV.

Every finding carries a paste-ready fix: the literal TXT record string, the hostname to paste it at, and the change log entry for your ticketing system. If we manage the DNS (CNAME delegation), we apply the change ourselves after a one-click confirmation.

Policy advances (p=none → p=quarantine → p=reject) get a staged rollout: we suggest pct=10 first, then 25, then 100, and show you the expected impact against the last 30 days of traffic. No surprise-quarantining the CEO's Wednesday newsletter.

Transactional alerts ship with tone=alert — no Precedence: bulk, no List-ID, no List-Unsubscribe. Bulk markers are what trains modern mail filters to file your “your domain is being spoofed” email under newsletters. We don't.

Digests ship as bulk, with proper List-Unsubscribe one-click support. They land where they belong.

Monthly PDF, white-labelled on Agency+. Rendered from real data in a branded navy-and-gold template. Clients forward it upward without asking what “DMARC” means — it opens with the posture score and closes with the action items signed as your company.