DMARC Autopilot← Back to home

Privacy Policy

Last updated: April 3, 2026

1. Overview

DMARC Autopilot ("we", "our", or "us") operates dmarcautopilot.com. This Privacy Policy explains how we collect, use, and protect information when you use our email authentication compliance scanner and monitoring service.

2. Information We Collect

2.1 Information you provide

  • Email address — when you sign up for a free account using our magic link login. We use this to authenticate you and send service notifications.
  • Domain names — domains you add to your monitoring dashboard.
  • Notification preferences — your choices for email alerts, Slack webhooks, and custom webhooks.
  • DMARC aggregate reports — XML files you upload or that arrive via our inbound email webhook for your monitored domains.

2.2 Information collected automatically

  • IP addresses — used for rate limiting on our public scan API. Not stored beyond the request.
  • Scan results — DNS record lookups for domains you scan (SPF, DKIM, DMARC, MX, BIMI, MTA-STS). Results for free scans are not linked to any account.
  • Usage analytics — aggregate, anonymized page view data via Plausible Analytics (privacy-preserving, no cookies, no personal data).

3. How We Use Your Information

  • To authenticate you and maintain your session
  • To perform DNS checks on domains you add to monitoring
  • To send score-drop alerts, DNS change notifications, and weekly digests
  • To parse and display DMARC aggregate reports you submit
  • To improve the accuracy and performance of our scanning service
  • To respond to support requests

We do not sell your personal data. We do not use your data for advertising.

4. Data Retention

  • Account data — retained until you delete your account.
  • Scan history — retained for the life of the monitored domain in your dashboard.
  • DMARC report data — retained until you delete the associated domain or your account.
  • Session cookies — expire after 30 days of inactivity.

5. Cookies

We use a minimal set of cookies:

  • session (essential) — an HttpOnly JWT cookie used to authenticate your session. Required for the dashboard to function. Expires after 30 days.
  • cookie_consent (functional) — remembers your cookie consent choice. Expires after 1 year.

We do not use advertising cookies, third-party tracking cookies, or fingerprinting technologies. Plausible Analytics, our analytics provider, is cookieless.

6. Third-Party Services

  • Resend — transactional email delivery. Your email address is shared with Resend to deliver magic link login emails and notifications.
  • Vercel — hosting and serverless infrastructure. Data is processed in Vercel's infrastructure. See Vercel's privacy policy.
  • Vercel Postgres — database hosting for your account data.
  • OpenAI — if you use the AI fix recommendations feature, your domain's DNS check results are sent to OpenAI's API. No personal data is included.
  • Sentry — error tracking. Error reports may include request URLs and stack traces but are stripped of personal data before transmission.
  • Plausible Analytics — cookieless, privacy-preserving page view analytics. No personal data is collected.

7. Your Rights

You may, at any time:

  • Export your data — download a JSON file of your domains, scan history, and preferences from your account settings.
  • Delete your account — permanently delete your account and all associated data from your account settings.
  • Unsubscribe — opt out of notification emails via notification preferences in your dashboard settings, or via the unsubscribe link in any email we send.

If you are located in the European Economic Area (EEA) or the United Kingdom, you also have rights under GDPR / UK GDPR, including the right to access, rectify, or erase personal data, and to lodge a complaint with your supervisory authority.

To exercise any of these rights, contact us at privacy@dmarcautopilot.com.

8. Security

We implement appropriate technical and organizational measures to protect your data, including HttpOnly session cookies, HTTPS-only transport, security headers (HSTS, CSP, X-Frame-Options), and server-side token validation. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

DMARC Autopilot is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us.

10. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of material changes. The "Last updated" date at the top of this page reflects when the policy was last revised.

11. Contact

Questions about this Privacy Policy? Contact us at privacy@dmarcautopilot.com.