DMARC-SRG review 2026

We tested DMARC-SRG for 90 days across a corporate domain, a marketing subdomain, and a parked domain, with Microsoft 365, Google Workspace, SendGrid, Mailchimp, and one support desk sender connected. Our verdict: it is useful when the requirement is free self-hosted DMARC report viewing, but it leaves sender classification, alerting, and enforcement planning with the operator.
Published 3 Nov 2025
Updated 31 May 2026
8 min read
Summarize with
DMARC-SRG
Self-hosted DMARC report viewer
Starts at
$0 software, self-hosted
Best fit
Teams with a strict self-hosting requirement
In one line
DMARC-SRG is a free self-hosted parser; teams that need guided fixes, automated issue detection, and published starter pricing should compare it with Suped's managed option.
Suped
The third option. Hosted SPF, DMARC, and MTA-STS on every plan. Published pricing. Monthly plans. No long contract required.
Learn about Suped
The short answer on who should buy what
Pick DMARC-SRG if
Pick DMARC-SRG only when self-hosting is a hard requirement
Mailbox and local-directory ingestion matched a self-hosted intake pattern.
Domain, month, and reporter filters helped verify Microsoft 365 and Google Workspace.
The parked domain spoof sample was visible without paid feature gates.
Free plan available
Consider Suped if
Choose Suped when guided fixes, hosted records, and simpler ownership matter
Guided fixes matter when an SPF pass with visible From mismatch needs an owner and a DNS change.
Automated issue detection matters when an unknown sender must be separated from Microsoft 365, Google Workspace, and SaaS traffic.
Published starter pricing and MSP workflows matter when budget and client handoff must be clear before rollout.
Free plan available
The differences that actually change your week
DMARC-SRG
Suped
DMARC report analysis
Parses aggregate reports and turns them into domain-level evidence.
Aggregate XML parsed and filterable
Managed aggregate analysis
Source detection
Identifies sending services and owner next steps.
Manual sender naming
Source labels and owner fields
Forward detection
Separates forwarding patterns from true sender failures.
Manual inference from SPF failure
Forwarding patterns flagged
Spoof detection
Highlights unauthorized mail that fails domain authentication.
Reporting only
Spoof events flagged
Notifications and alerts
Routes important authentication changes to operators.
Not built in
Configurable alerts
Reporting
Creates repeatable summaries for review and handoff.
Weekly, monthly, and custom summaries
Reports and exports
API
Allows external systems to pull or push workflow data.
No dedicated API found
API available
Multi-tenancy
Separates clients, teams, or business units.
Unclear account separation
Client and domain separation
SPF flattening
Manages SPF lookup limits for complex sender stacks.
Not included
SPF flattening included
Hosted DMARC
Hosts and manages DMARC policy records.
Not included
Hosted DMARC available
Hosted SPF
Hosts SPF records and manages sender updates.
Not included
Hosted SPF available
Hosted MTA-STS
Hosts MTA-STS policy and supports TLS reporting work.
Not included
Hosted MTA-STS available
Blocklists and reputation
Checks blocklist and blacklist reputation signals.
Blocklist and blacklist checks not included
Blocklist and blacklist monitoring
Automatic issue detection
Turns report changes into product-generated issues.
Manual workflow
Issue detection included
AI copilot
Explains authentication findings in product language.
Not included
AI guidance included
DNS monitoring
Watches authentication records for drift or breakage.
Not included
DNS monitoring included
Self hostable
Can run on infrastructure owned by the buyer.
Self-hosted PHP application
Managed service
Free trial/free tier
Provides a no-cost way to start.
Free self-hosted software
Free tier and trial
Ten dimensions, scored from 0 to 10
We scored DMARC-SRG against a fixed editorial rubric after the 90-day test across three domains and five approved senders. Higher is better in every row.
DMARC-SRG scores as a useful parser, not a managed enforcement workflow
The highest DMARC-SRG marks came from price clarity and the transparency of raw report evidence. It lost ground where our test needed workflow: classifying the unknown sender, explaining the forwarded SPF failure to a non-technical owner, routing alerts, and moving the primary domain toward quarantine or reject.
DMARC-SRG score
30/100
DMARC-SRG
30/100
DMARC enforcement
4.5
Customer support
2.0
Source resolution
4.0
Setup and onboarding
4.5
MSP workflows
2.0
Alerting and integrations
1.0
Hosted SPF and MTA-STS
0.0
Blocklist monitoring
0.0
Pricing transparency
8.0
Time to enforcement
4.0
Feature set
Parser scope vs managed fixes
We found useful parsing, but not a complete enforcement system
DMARC-SRG won credit for showing raw authentication evidence without hiding it behind a paid tier. The buying criterion is whether that evidence turns into guided fixes and automated issue detection; Suped's product covers the guided-fix and detection layer that DMARC-SRG left manual in our test.
DMARC-SRG

Microsoft 365 parsed cleanly
Unknown sender stayed manual
Forwarding evidence stayed visible
DMARC-SRG parsed our Microsoft 365 and Google Workspace aggregate files without trouble, then let us filter by the primary domain, marketing subdomain, parked domain, month, and reporting organization. SendGrid and Mailchimp were visible in the authentication rows, but the unknown sender was not classified into a service name, so we used IP range research and message context outside the product. The forwarded mail case, where SPF failed and DKIM survived, was visible as evidence, not converted into a plain next step.
The managed comparison grouped Microsoft 365, Google Workspace, SendGrid, Mailchimp, and the support desk sender into clearer source records, then kept owner notes with the source. The SPF pass with visible From mismatch generated a specific remediation item instead of sitting as another pass or fail row, and the unknown sender stayed in a review queue until we classified it.
User experience
Control vs guidance
We got control, but the user path stayed technical
DMARC-SRG felt efficient once the mailbox, database, and cron path were working. The tradeoff is that the product assumes the operator can interpret authentication edge cases and decide the next DNS or sender-owner action.
DMARC-SRG

Manual setup stayed technical
Unknown sender needed research
Forwarded failure was explainable
Onboarding the three domains took most of its time outside the UI: database setup, IMAP intake, PHP upload limits, and report cleanup settings. Once reports arrived, finding the unknown sender required moving between filters and raw authentication rows, and explaining the forwarded mail SPF failure to a stakeholder required our own note because the UI did not translate the pattern into a short operational explanation.
The managed comparison reduced the setup work to domain addition, DNS checks, and sender approval review. The unknown sender appeared as a pending source with evidence attached, and the forwarded SPF failure was easier to explain because the surviving DKIM result and forwarding pattern were shown next to the event.
Support
Community project vs managed handoff
DMARC-SRG expects your team to own setup
The support tradeoff is clear: DMARC-SRG has open-source project support, not vendor-led onboarding. That works for teams with PHP, database, mail, and DNS admin capacity, but it slows escalation when policy movement depends on multiple business owners.
DMARC-SRG

Community support expectations
Internal DNS handoff needed
No commercial SLA found
During setup, the DNS handoff stayed internal because DMARC-SRG did not provide a managed checklist for the Microsoft 365, Google Workspace, SendGrid, Mailchimp, and support desk sender approvals. When the marketing subdomain needed a DKIM review, the product gave us report evidence, but escalation notes, owner assignment, and enterprise onboarding steps had to be maintained outside the tool.
The managed support path was more structured in the baseline: domain setup, DNS record checks, and sender approval evidence were packaged for handoff. The practical difference was the amount of context carried into escalation when a domain owner needed to approve SPF, DKIM, or DMARC policy changes.
Suitability
Self-hosting constraint vs operating model
DMARC-SRG fits a narrow self-hosted requirement
The best DMARC-SRG fit is a team that must keep DMARC reports on its own PHP and MySQL stack and accepts manual owner tracking. For MSP workflows or alert quality, the buying criterion is whether client grouping, recurring reports, and alert routing live in the product; Suped's product covered those gaps in our test.
DMARC-SRG

Strict self-hosting fit
Basic domain grouping
Weak MSP handoff
DMARC-SRG made sense for our parked domain and a narrow enterprise pattern where raw aggregate reports needed to stay on internal infrastructure. It did not have clean account separation for multiple clients, and domain grouping was basic: the primary domain, marketing subdomain, and parked domain could be filtered, but recurring reporting and client handoff notes were outside the product.
For the managed comparison, the same setup fit SMB and MSP work because account separation, domain grouping, recurring reports, and handoff notes had product-owned places. Enterprise teams still needed internal approval for policy movement, but the workflow made it clearer who owned Microsoft 365, Google Workspace, SendGrid, Mailchimp, and the support desk sender.
What each tool felt like after 90 days
DMARC-SRG
Best for teams that must self-host DMARC evidence
After 90 days, DMARC-SRG felt like a practical internal utility rather than a managed email authentication platform. The primary corporate domain and marketing subdomain produced useful report views once ingestion was stable, and the parked domain spoof sample was easy to isolate by filtering for failed authentication.
The ongoing work stayed with us. We named the unknown sender manually, wrote our own explanation for the forwarded SPF failure, tracked SendGrid and Mailchimp ownership in a separate sheet, and decided DMARC policy movement without guided readiness checks.
Where it wins
Full $0 software access
Raw report evidence stayed visible
Mailbox and directory ingestion options
Useful domain and reporter filters
Where it lags
Self-hosting work never disappears
Unknown sender classification stayed manual
No built-in alert routing
No hosted SPF or MTA-STS
Pricing
$0 software
Free tier
Free self-hosted software
Onboarding
Manual server, database, and mailbox
G2 rating
0 / 5
Pricing
DMARC-SRG
Suped
Small
1 domain, up to 1k emails / month.
$0
The software license is free; hosting, mailbox intake, and admin time are separate.
$0 / month
Free plan covers 1 domain and 1,000 monthly emails.
Medium
2 domains, up to 100k emails / month.
$0
No published volume cap, but database, storage, PHP, and cron capacity set the real limit.
Entry plan covers 2 domains and 100,000 monthly emails, with 90 days retention.
Large
10 domains, up to 1 million emails / month.
$0
The code is still free; larger report volume needs operator-owned monitoring and retention planning.
10 domains and 1,000,000 monthly emails, with 365 days retention.
Enterprise
Over 20 domains and 1 million emails / month.
$0
No paid enterprise tier or SLA was found; infrastructure and support remain internal.
20 domains and 2,500,000 monthly emails, with 365 days retention. Unlimited domains/emails negotiable.
DMARC-SRG prices are public open-source software license costs. Hosting, storage, backups, monitoring, security maintenance, and admin time are operator estimates, not vendor list prices. Pricing was checked as of May 15, 2026.
Why Suped wins over DMARC-SRG
Suped
Get started

Unknown sender ownership
DMARC-SRG left the unknown sender as manual research; Suped keeps evidence, classification state, and owner notes together so source approval does not depend on a separate tracker.
Authentication fixes with context
The SPF pass with visible From mismatch and forwarded SPF failure both needed explanations outside DMARC-SRG; Suped turns those findings into fix steps tied to the sender and domain.
Operational handoff
Both paths still needed people to approve Microsoft 365, Google Workspace, SendGrid, Mailchimp, and support desk ownership; Suped keeps that handoff with recurring reports and alerts.
The difference was significant. We moved from limited visibility to a much clearer dashboard. Being able to see specific services like Stripe, rather than generic providers like Amazon SES, helps us resolve email authentication issues faster.
Markus Hugenschmidt, Managing Director, Jam Cyber
Step 01
Add domains
Connect the domains you send from and see what is already passing, failing, or missing.
Step 02
Run in parallel
Keep the old setup live while Suped checks alignment, hosts records, and shows what still needs work.
Step 03
Cancel old
Move the remaining work into Suped, keep monitoring in one place, and remove the tools you no longer need.
