Domain Guard

The lookalike-domain sweep your DMARC enforcement can't see.

DMARC blocks attackers who spoof your domain. It does nothing about the one they registered last Tuesday that's one homoglyph off your apex — paypa1.com, microsft-it.com, acme.co instead of acme.com. Domain Guard is the side of the system that watches that namespace.

Start free Read the BEC defender's playbook

How it works

Three layers, one daily report.

Layer 1 — permutation scan

We generate the canonical typo-permutation space for every protected domain — adjacent-key, homoglyph, TLD-substitute, hyphen-insert, doubled-character, omitted-character. Each candidate is checked daily against WHOIS and DNS to see whether it's been registered.

Layer 2 — WHOIS freshness

A lookalike registered four years ago and never used isn't your immediate threat. One registered last week that already has an MX record is. Domain Guard scores by registration recency × DNS posture so the noise drops to the rows that actually warrant a same-day response.

Layer 3 — blocklist push

When a lookalike crosses the action threshold, we ship the blocklist row in the format your tenant expects: a Microsoft 365 PowerShell snippet, a Google Workspace CSV, or a webhook into your SIEM. Detection is the easy half — the hard half is closing the gap before the wire transfer goes out.

What you actually get

Not just a list of registered lookalikes.

Plenty of free tools will hand you a CSV of typo-permutations. They're not useful — most of those rows are unregistered and most of the registered ones are six years old and parked. Domain Guard's job is to turn that flat list into a triaged feed.

DNS posture per row

MX active? A record? Mail-pointing? Domain Guard tells you what each lookalike is configured to do, not just whether it's been bought.

Registration age + change feed

When was the registration created, when was it last updated, and how does that compare to the wave of phishing your industry is seeing right now.

Daily alerts only when warranted

Email + Slack/Teams alerts trigger when a row crosses the threshold — not every morning at 9:00 AM about the same five parked domains you already know about.

M365 + Google Workspace push

One click ships the row into your tenant transport rules so the next forged invoice gets quarantined at the gateway, not flagged after delivery.

Audit-ready evidence

Every escalation, every block, every dismissal is logged. Compliance auditors want a paper trail; you'll have one.

Threat-intel cross-reference

Domain Guard cross-references lookalikes against active phishing-campaign feeds so the rows that match a known-bad pattern jump the queue.

Live in five minutes. Daily reports start tomorrow.

Add your protected domains, pick a delivery channel, and the first sweep completes in under an hour. Included on every paid plan from Solo and up.

Start free See pricing