For a government agency, a school district, or a university, email is both a legal obligation and a favorite target. Citizens, students, and staff act on messages that look like they come from public institutions, so attackers like to hijack their emailing domains to run benefit scams, tax fraud, and credential theft.
DMARC is the email standard that lets receiving servers tell a genuine message from a forged one, and for public bodies it is increasingly required, not optional: US federal agencies have been under a mandate to enforce it since 2017, and the UK and much of the EU now expect it too. This guide compares the DMARC monitoring tools that suit public institutions, judged on what they need most: clear multi-domain reporting, proof of compliance, and a price a public budget can defend. All information in this article was verified directly from vendor websites at the time of publication.
DMARCeye is trusted by public institutions in the United States and other countries, so much of what follows reflects what their teams ask for in practice.
DMARC tells a receiving server like Gmail or Outlook what to do with a message that claims to be from your domain but fails authentication: do nothing (p=none), send it to spam (p=quarantine), or reject it outright (p=reject). It sits on top of two checks, SPF and DKIM, that confirm a given service is allowed to send as your domain. For public institutions, publishing and enforcing a DMARC record is increasingly a rule, not a recommendation.
p=reject since 2017. State, county, and municipal governments increasingly adopt the same bar, and school districts and universities fall under the bulk sender rules below.p=quarantine or p=reject under the Minimum Cyber Security Standard. The NCSC has now retired its free Mail Check service, which many public bodies used for reporting, leaving them to source their own monitoring.One caveat on procurement in the US is that federal agencies operate under authorization regimes, such as FedRAMP, that narrow which vendors they can buy from, so a federal team's choice of tool is constrained. This guide is written for the far larger group that chooses freely: state and local government, school districts, universities, public healthcare and utilities, and public institutions outside the US.
Government was among the most targeted sectors for phishing in 2025, with attempts rising sharply year over year, according to industry threat research. The reason is trust: people act on an email that looks like it comes from a tax office, a benefits agency, or a school, so a forged message converts far better than a random scam.
Through 2025, campaigns hit more than a dozen universities with pages that spoofed student single sign-on portals to harvest credentials, then reused those accounts to send more convincing mail from inside the institution. A domain left at p=none (DMARC's monitoring-only mode) gives receiving servers no instruction to block any of this. Monitoring is how you see which senders are yours, which are forged, and where the forged mail is coming from, before you tighten the policy enough to stop it. If you are not sure what your institution's domain publishes today, check it first.
A public institution is not a single-domain business. A university runs departments, campuses, and a web of subdomains; a county runs services, agencies, and vendors that all send on its behalf. That shapes what matters in a tool:
The six tools below all monitor DMARC well. They differ on price, on how much they explain, and on how much beyond DMARC they try to do. Prices and limits are current as of the date of publication and change often, so confirm on each vendor's pricing page before you buy.
| Tool | Free tier | Entry paid plan | Best fit for a public institution |
|---|---|---|---|
| DMARCeye | 1 domain, 5,000 emails/mo, 30 days | From $4/domain/mo (Scale) | Public teams that want clear guidance across many domains without a DMARC specialist |
| dmarcian | 2 domains, non-business only | $24/mo (Basic, 2 domains) | Teams that want to study the DMARC protocol in depth |
| EasyDMARC | 1 domain, 1,000 emails, 14 days | $35.99/mo (Plus, 2 domains) | A full authentication stack in one dashboard |
| URIports | One-month trial | From $6/mo (Pebble) | Security teams that want DNS and TLS reporting too |
| DMARC Report | 1 domain, 10,000 reports/mo, 30 days | $25/mo (Guard, 5 domains) | A free automated dashboard to start with |
| Postmark DMARC Digests | Free single-domain plan | $14/mo per domain | A simple weekly email instead of a dashboard |
DMARCeye reads your DMARC reports and tells you, for each of your domains, which senders are passing, which are failing, and what to fix next. It enables a public IT team that is not staffed with DMARC specialists to move from monitoring to a safe enforcement policy without guessing, and see all their domains and subdomains in one view. A built-in AI assistant answers questions like "which senders failed last week," so a stretched team gets an answer without digging through reports. You can also connect the same data to a chat tool you already use through MCP, an open standard that lets an AI assistant read your DMARC reports.
Pricing is per domain, from $4 per domain a month on the Scale plan, and the free plan covers one domain and 5,000 emails a month with the full report analyzer, no credit card, which is a straightforward way to start on a single service domain before rolling out wider. DMARCeye currently does not manage BIMI, MTA-STS, or SPF flattening, but these features are on our roadmap.
dmarcian is the pioneer, founded in 2012 by one of the primary authors of the DMARC specification, and its strength is depth and education. It rewards a team that wants to learn the protocol in detail rather than just clear a checkbox, with thorough reporting and genuinely good documentation. For a stretched public IT team that mainly needs to reach enforcement and prove it, that depth can be more than they have time for.
The free Personal tier is for non-business domains only, so an institution needs a paid plan: Basic is $24 a month for two domains, and pricing steps up by domain count, which is worth mapping against how many domains you actually need to cover.
EasyDMARC bundles the whole email-authentication stack in one place: DMARC, SPF flattening, BIMI, MTA-STS, and TLS reporting, with guided onboarding and a large set of free tools. For a larger agency or institution that wants to handle more than DMARC from a single dashboard, that breadth is the draw. The trade-off is price.
The free plan is limited to one domain, 1,000 emails, and 14 days of history, and the entry paid plan, Plus, is $35.99 a month billed annually for two domains, the highest starting price in this list.
URIports takes a technical, monitoring-first approach that fits a security team. Alongside DMARC aggregate and failure reports, it watches DNS and TLS-RPT, so you get a wider view of the domain's health from one place, with webhook and API integrations for automation.
Pricing starts low, from $6 a month on the Pebble plan after a one-month trial, which makes it an economical option for an institution that wants breadth of signal without an enterprise contract. It is less hand-holding than the guidance-led tools, so it rewards a team that is comfortable reading the data.
DMARC Report stands out for a free tier that is usable, not a teaser. The Core plan is free for one domain with 10,000 reports a month, 30 days of history, automated report ingestion, and a real dashboard, so it is a genuine way to start seeing your data at no cost. It is a reporting dashboard rather than a guidance tool, though, so a team that wants to be told what to fix next will outgrow it.
Paid plans begin at $25 a month for the Guard tier with five domains.
Postmark DMARC Digests is the simplest option, built around a weekly or monthly email that summarizes who is sending as your domain and what is failing, with plain guidance on how to fix it. There is a free single-domain plan with weekly digests, and a light dashboard on the paid tier, but the appeal is the low-friction digest for a team that does not want to log in to anything.
It runs $14 a month per domain beyond the free plan. For a single office that wants visibility without a tool to manage, it does the job, though per-domain pricing adds up once an institution has many domains.
In four steps:
p=none and read the reports for a few weeks to confirm nothing legitimate is failing.p=quarantine, then to p=reject, once the reports are clean, and set a subdomain policy (sp=) so an unused subdomain cannot be spoofed. Most domains never declare one, which leaves a gap attackers can use.A monitoring tool is what makes the last steps safe: it shows you, in plain terms, which senders still fail before you tighten the policy. Enforcement is not rare because it's hard, it's rare because teams cannot see clearly enough to trust the change. In DMARCeye's Q1 2026 industry report, only 26.5% of active domains had reached p=reject, with more than a third still parked at p=none.
For a growing number, yes. US federal agencies have been required to enforce DMARC at p=reject since 2017, UK central government has mandated it since 2016, and EU member states expect it of public administration under NIS2. Even where no sector rule applies, Google, Yahoo, and Microsoft require authentication from any domain sending in volume, which covers most agencies, districts, and universities.
Yes. Universities are a frequent target of credential phishing that spoofs student and staff logins, and any institution sending newsletters, notifications, or bulk mail falls under the major mailbox providers' authentication rules. DMARC at enforcement is what stops an attacker from sending mail that appears to come from the school's own domain.
Any of the DMARC monitoring tools in this guide will ingest the same aggregate reports and present them, most with a free tier to start. A public body that relied on a government-run service can move its reporting address to a commercial tool and keep continuity, gaining plain-language guidance and multi-domain views in the process.
To start, often yes. A single-domain office can begin on a real free tier, such as DMARCeye's one domain and 5,000 emails a month, and see exactly which senders pass and fail. You move to a paid plan when you need more domains, longer history, role-based access, or alerting, which most institutions reach as they bring their full estate under monitoring.
For a public institution, DMARC is both a mandate and a defense: it keeps attackers from sending mail that appears to come from a trusted public domain, and it proves to an auditor that you have done so. The right tool is the one that shows all your domains and subdomains clearly, turns reports into a short list of senders to fix, produces evidence you can hand to a security review, and does it at a price a public budget can defend.
If you want guidance rather than raw reports, that is what DMARCeye is built for. It reads your domains' DMARC data and tells you the next step, and you can start on the free plan.