Postvale
Run a check

Postvale Prove

Domain posture, with proof your auditor verifies in their browser.

Every alert, scorecard, and workpaper hashes into a public Merkle chain anchored by an external RFC 3161 timestamping authority. Your auditor runs the free open-source verifier in their own browser - no Postvale login - and confirms nothing was modified, deleted, or reordered. Mapped to 21 frameworks including OSFI B-13, APRA CPS 234 / 230, PCI DSS, HIPAA, SOC 2, ISO 27001, NIS2, DORA, SEC, NYDFS, FedRAMP, IRAP.

Continuous TLS / DMARC / DNS / threat-intel monitoring underneath. Two-second Scam Check in Gmail and Outlook on top. Buy any layer standalone, or take the whole audit-evidence stack as one.

Or see Prove with mock data → or tour every layer →

Or press ⌘K to search 42 free tools (or type any domain to check it).

Dashboard

Monitored domains

3 of 10

  • cloudflare.com

    TLSAHDRCDMCABMIA+
    C

  • shop.acme.com

    TLSAHDRADMCA
    A

  • admin.acme.com:8443

    Internal admin panel

    TLSBHDRA
    B
monitoring

How Postvale works

Three products. One platform.

Defend

Postvale Extension

A button in Gmail and Outlook that tells you whether the email you're reading is real or a scam. Click it on anything suspicious; in two seconds you get the verdict plus the receipts - who actually sent it, what's in the links, whether it's been seen before. We also scan every link in the email against malware and phishing feeds, and flag suspicious ones with little icons right in your inbox.

Extension toolbar
inline in gmail
DMARC:P=NONEAGE:6DMALWARE:CLEARTHREATS:CLEARPHISHING:CLEARBRAND:CLEAR
Suspiciousmedium confidence

Sender domain is only 7 days old and DMARC policy is not enforced.

Why we say so

  • Sender domain registered 7 days ago - common phishing tell.
  • DMARC set to p=none, so receivers don't reject spoofed mail.

Verify with the sender through a different channel (phone, Slack) before clicking any links.

Try Scam Check →

Prove

Postvale Prove

Evidence that verifies itself. Chain of custody on every alert and workpaper, third-party timestamping, and a free public verifier your auditor runs independently. They don't have to trust us - they can prove the artifact hasn't been altered. Mapped to OSFI B-13, APRA CPS 234, PCI DSS 4.0, SOC 2, HIPAA, NIS2, DORA, SEC cyber, CASL, AU Spam Act.

Evidence pack
acme.com · Q2 2026
  • scorecard-acme.com.pdf24 KB#a3f1c2
  • wp-email-auth.pdf38 KB#b9e480
  • wp-tls-cert.pdf41 KB#c128df
  • wp-vendor-inventory.pdf29 KB#d55a7e
  • alerts-q2-2026.csv12 KB#e7b332
  • chain-of-custody.json2 KB#f04b91
Frameworks satisfied9 total
  • SOC 2CC6.7, CC9.1, CC7.3
  • PCI DSS 4.0Req 4.2, 12.8, 12.10
  • OSFI B-13P2, P3, P4, P7

+ HIPAA · NIS2 · DORA · NYDFS · SEC · APRA

See Prove pricing →

Watch - the foundation

Postvale Domain Monitor

The continuous monitoring layer Defend + Prove sit on top of. Keeps eyes on your website and email setup around the clock: certificate expiry, DMARC / SPF drift, new subdomains showing up, your company on a ransomware leak site, a copy of your login page going live to steal customer passwords. Every alert above is generated here.

Run a domain check →
CT log stream
live demo
  • 19:10:22api.acme.comZeroSSL
  • 19:10:19cdn.example.comDigiCert
  • 19:10:17shop.acme.comZeroSSL
  • 19:10:14shop.acme.comLet's Encrypt
Alert senthigh · cert

New subdomain on your apex

portal.acme.com

A certificate was issued for this hostname 14 seconds ago. Not in your monitored inventory.

Detected
14s ago
Issuer
Let's Encrypt
IP
142.250.190.142
Routed via
Slack #ops + email

Used by

IT and Security Teams keeping the email surface clean · MSPs running 30+ customer domains · Internal audit teams at Canadian banks (OSFI B-13), Australian financial institutions (APRA CPS 234), US public companies (SEC cyber disclosure), and healthcare orgs (HIPAA) · Compliance officers mapping email controls to PCI DSS 4.0, SOC 2, NIS2, CASL, and the AU Spam Act.

See pricing - Domain Monitor, Extension, and Prove →

Different

Six things you won't find elsewhere at this price.

Posture monitoring is a crowded category. These are the highest-leverage things we ship that the rest of the field either skips entirely or charges enterprise pricing for.

Industry first

An audit log your auditor verifies independently

Every alert, scan, and workpaper hashes into a public Merkle chain (per-row + per-user). Daily anchor heads are timestamped by an external RFC 3161 Time Stamping Authority. The free open-source verifier runs in your auditor’s browser or terminal - no Postvale login - and proves no row was modified, deleted, or reordered after the fact.

vs the competition: Every other GRC tool asks the auditor to trust the dashboard. We ship the cryptographic proof + the verifier source code + the public anchor. The auditor doesn’t need to take our word for anything.

Sub-10-second alerts from CT logs

New TLS cert issued for a subdomain or a brand-lookalike host? You get the alert seconds after issuance, not on the next hourly polling cycle. Live tail of the public Certificate Transparency stream, matched against your monitored apexes and brand watchlist keywords in real time.

vs the competition: Most monitors poll on a fixed cadence and discover new hostnames hours late. Phishing kits often go live within minutes of cert issuance - the gap between hourly and real-time is the gap between catching it pre-attack and post-attack.

Threat intel that fits SMB budgets

Layered reputation (malware feeds, phishing feeds, active-threat IOC, IP abuse, mail blocklists, domain age) PLUS continuous monitoring layers usually paywalled at four-figure pricing - all anchored on your monitored domains: leak-site mentions of YOUR apex, credentials at YOUR apex appearing in breach corpora, CVEs on the tech serving YOUR apex (fingerprinted from response headers), and phishing-kit fingerprinting on typosquats of YOUR apex.

vs the competition: The premium threat-intel platforms charge $25-100k/year for this kind of coverage. We layer it into Pro at $79/mo because at SMB scale, "your domain just got pwned" matters more than feature count.

Watches non-443 HTTPS endpoints

Cert expiry on your admin panel running on 3128 or 8443. Internal tools and self-hosted services that other monitors silently skip.

vs the competition: The competition is 443-only. If your service runs anywhere else, you do not get watched.

AI remediation, on your actual report

Stream a 30-day rollout plan tailored to your DMARC values, your DNS provider, and your specific failures. Not generic chatbot advice.

vs the competition: Nowhere else feeds the structured scan into an LLM. You end up pasting RFC links into Slack instead.

Pricing you can read on the box

Free with 1 monitored domain (daily scan). Starter at $30/mo for 5 domains of pure posture. Pro at $79/mo for 10 domains with the full threat-intel layer. MSP at $699/mo for 100. Every tier on the page; no "request a demo" gating.

vs the competition: The boring incumbent is $129/mo for 6 monitors. The risk-rating tools say "request a demo." We just tell you the number.

Open source

Every Postvale check, in your terminal.

The Postvale CLI is MIT-licensed and runs anywhere Go binaries do. Use it in CI to gate deploys on a posture regression, audit a domain from a hardened workstation, or verify a Postvale audit-chain export without ever talking to our servers. The verifier is byte-for-byte the same code your auditor runs in their browser.

  • 25+ subcommands, Phase 1 shipped. TLS, DMARC, DNS, scam, spoofability, vendors, evidence packs - and the audit verifier.
  • --exit-on-fail. Wire any check into a pipeline; gate deploys on a failing posture grade.
  • Every line is publicly reviewable. Read the source, audit the protocols, file an issue, send a patch.
Browse the CLI →View on GitHub
~ / acme-deploy
$ postvale check acme.com --exit-on-fail
Running 6 checks against acme.com...
A+ tls cert valid 67d, TLS 1.3, HSTS preload
A dmarc p=reject, aligned, 99.4% pass
B dns DNSSEC ok, CAA missing
F mta-sts no policy published
Grade: F (worst-of). Run postvale check acme.com --json for the structured report.
exit 1 · 1.3s · MIT · postvale v0.4.0

Postvale Extension

Every employee gets a one-click second opinion on suspicious email.

The extension lives in Gmail and Outlook and adds inline pills to every message: DMARC posture, sender domain age, malware feed match, threat-IOC match, brand-watch match. When something feels off, the operator clicks "Is this real?" and gets an AI verdict that cites every signal it used - so they can audit the answer instead of trusting a black box.

  • Free tier for trying it. Sign up free (no card) to use your 1 lifetime trial Scam Check. Pills + body-link scoring stay unlimited on every plan.
  • Pooled team budget, not per-seat. A Team 100 plan gets 1,000 triages a week shared across all 100 employees - the five power-users who actually look at sketchy email don't starve the rest of the team.
  • Push to the whole org in one policy. Chrome / Edge / Firefox managed-storage for the browser extension and Microsoft 365 centralised deploy for the Outlook desktop add-in. IT pastes one policy in GPO / Jamf / Workspace; every endpoint gets the extension pre-configured. No per-user token paste.
  • Top-up packs for busy weeks. Burned through your aggregate budget? Buy 100 / 500 / 1000 credits one-off; they expire end of period so you can't accidentally hoard.
See extension pricing →Try Scam Check on the web

Gmail · Inbox

IT Helpdesk <[email protected]>

2:14 PM

Subject: Action required: verify your account

Is this real?DMARCnoneAge14dMalwareThreatsPhishingProBrand watchHIT

Hi - your account password expires in 24 hours. Please verify your credentials at acme-helpdesk.com/verify...

Phishinghigh confidence

Sender apex registered 14 days ago, brand-watch hit on "acme", and the body link goes to the same young apex. Treat as a credential-harvest attempt.

Recommended: do not click. Report via your phishing button. Forward sample to [email protected].

17 of 1000 / week pooled · Team 100

Postvale extension v0.7.2live

The actual fix

We don't just grade your DMARC. We tell you the record to publish.

Most posture tools score you red and walk away. Postvale hands you the exact DMARC TXT record that fixes the finding, calibrated to what your senders are actually doing today, and a per-week rollout plan so you don't quarantine legitimate mail by accident.

  • Personalised - we read your live SPF/DKIM coverage and pick a pct rollout cadence that matches.
  • Auditable - every recommended tag has an inline citation to the RFC clause it satisfies.
  • Reversible - the rollout plan is week-by-week so a regression costs you a percentage point of mail, not a Friday.
Before_dmarc.acme.com
current TXT record
v=DMARC1;p=none;# observe-onlyrua=mailto:[email protected]
After_dmarc.acme.com
Postvale recommended record
v=DMARC1;p=reject;# enforcesp=reject;pct=100;aspf=s;adkim=s;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1

Rolled out over 4 weeks. Pre-flight: SPF + DKIM coverage already 99.4%.

Free tools

Every check, free, no signup.

Pick a tool and run it against any public domain. Most are unlimited; the heavier composite tools have generous daily caps. Pro lifts the caps and adds continuous monitoring, alerts, and the dashboard.

free

TLS / SSL check

Cert validity, expiry, full chain trust, hostname match, protocol scan, cipher strength, HSTS.

open tool →

free

DMARC + SPF

Policy, alignment, reporting endpoints, SPF presence and lookup count, recommendations.

open tool →

free

DNS health

DNSSEC validation, CAA records, NS consistency, MX records, registrar expiry, mail-blocklist coverage + layered threat intelligence.

open tool →

free

Reputation + threat intel

Malware/phishing distribution intel, active-threat IOC matching, IP abuse confidence, mail blocklists, and domain registration age. One verdict, every signal.

open tool →

free

Security headers

HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP.

open tool →

free

BIMI

BIMI DNS record, logo asset, VMC certificate URL, DMARC enforcement requirement.

open tool →

free

MTA-STS + TLS-RPT

DNS record, fetched policy file, mode + max-age + MX list, TLS-RPT reporting endpoint.

open tool →

free

SPF flattener

Resolve include: chains recursively, get a 0-DNS-lookup flat record. Fix the 10-lookup PermError.

open tool →

free

SPF record generator

Pick the senders you use (Google, M365, SendGrid, Mailgun, 15+ presets) and emit a syntactically-correct SPF record with a real-time RFC 7208 lookup counter.

open tool →

free

SPF raw validator

Paste an SPF string and validate the syntax before you publish. Tokeniser, lookup counter, common-mistake flagger - no DNS lookups required.

open tool →

free

DKIM TXT record generator

Paste the public key your mail platform gave you, get the DKIM TXT record properly formatted with v= / k= / h= / p= tags and the right multi-string split for long values.

open tool →

free

BIMI record generator

Enter domain + logo URL + VMC URL, get the BIMI TXT record ready to publish at default._bimi. Inline validation for the HTTPS / SVG requirements.

open tool →

free

BIMI logo (SVG Tiny PS) validator

Paste or upload your logo SVG. We check every BIMI requirement (baseProfile, version, square viewBox, title, disallowed tags) and emit a cleaned output you can publish. Browser-side - SVG never leaves your machine.

open tool →

free

MTA-STS generator

Generate both the DNS TXT record AND the policy file MTA-STS needs in one pass. RFC 8461 syntax, max_age enforcement, pair-with-TLS-RPT guidance.

open tool →

free

TLS-RPT generator

Generate the TLS-RPT (TLS reporting) DNS record. Multiple mailto: / https: destinations supported. Pair with MTA-STS for the full transport-encryption story.

open tool →

free

Phishing link checker

Paste a URL (or up to 64 at once) and get a verdict against malware / phishing / threat-IOC feeds. Useful for chat / SMS / document links the extension can't see.

open tool →

free

DMARC report viewer

Paste a raw DMARC aggregate XML report (or upload the .xml.gz Google/Microsoft sent you), get a clean visualization PDF. Pass-rate breakdown, top sources, recommendations.

open tool →

free

DMARC walk-through wizard

Interactive step-by-step migration. Free DNS state lookup. Pro+ unlocks AI-personalized plan: exact TXT records you need plus a week-by-week rollout plan from p=none to p=reject.

open tool →

free

Subdomain inventory

Every subdomain ever issued a certificate, via Certificate Transparency logs.

open tool →

free

Subdomain takeover check

Walks the CNAME chain of any subdomain and fingerprints it against 20+ known-vulnerable services (GitHub Pages, S3, Azure, Zendesk, Netlify, Vercel, etc.). Flags dangling CNAMEs an attacker can re-claim.

open tool →

free

DNSSEC validator

Tells you if validating resolvers trust your DNS chain end-to-end. Secure / Insecure / Bogus verdict with the AD flag, DNSKEY at apex, and DS at parent inspected via Cloudflare 1.1.1.1.

open tool →

free

CAA checker + generator

See which CAs can issue certs in your name (CAA checker) and generate publish-ready BIND-format records from a preset CA list (CAA generator). Pairs with TLS / DNSSEC for full cert governance.

open tool →

free

Email forensics replay

Paste raw email headers, get a verdict on DKIM/SPF/DMARC alignment, identity mismatches, and threat-intel reputation on the sender domain + IPs.

open tool →

free

Browser extension + Outlook add-in

Inline pills on every Gmail and Outlook message (Chrome / Edge / Firefox plus Outlook desktop via Office.js add-in): DMARC posture, domain age, malware feed, active-threat IOC. Plus one-click full forensics replay and body-link scoring on every URL. Free. Pro adds the headline pills: Phishing-feed sender match (community-confirmed phishing-URL feed) and Brand impersonation watchlist.

open tool →

free

Scam Check

For when you stare at an email and think "wait, is this real?" Click the button on any Gmail or Outlook message - or paste it on /triage - and Postvale checks the sender, every link, and every threat-intel feed, then asks AI to give you a verdict you can audit. Scam Check budget lives on the separate Postvale Extension product. Sign in required (free signed-in: 1 lifetime trial, Solo $15 for 20/wk, team plans pool 100-2500/wk).

open tool →

free

Deliverability score

Composite 0-100 sender reputation across DMARC, SPF, MTA-STS, blacklists, BIMI.

open tool →

free

Vendor scoring

Batch grade your supplier list. Free up to 10 domains, 3 batches/day. Pro lifts both caps.

open tool →

free

Vendor consolidation audit

Per-domain blast radius. Lists every third party authorized to send mail as you, classifies each by what they could do if compromised (route / send / read / observe), and flags the duplicates MSPs commonly inherit. One-page audit format with CSV export.

open tool →

free

Can my domain be spoofed?

Yes / maybe / no verdict on third-party impersonation. Combines DMARC, SPF, DKIM presence, and MTA-STS into one answer non-technical stakeholders can read.

open tool →

free

Spoofable brands index

Live spoofability scores across 210+ high-profile domains with AI-generated commentary per brand. Browse by sector (finance, retail, telco, gov, etc.) - useful when pitching a customer "your category is being phished today".

open tool →

free

IPv6 deliverability

The gap most checkers miss. AAAA + reverse-DNS posture - sending from IPv6 without rDNS gets you silently bulk-foldered by Gmail and Yahoo. We test for it, you fix it.

open tool →

free

Infrastructure map

Visual graph of NS, MX, SPF includes, DKIM selectors, DMARC, and MTA-STS for any domain. Each hop classified by provider (Google, Microsoft, AWS, Cloudflare, Mailgun, etc.) so you can spot supply-chain risk at a glance.

open tool →

free

Full domain check

TLS + DMARC + DNS + headers + MTA-STS + BIMI in one shareable report.

open tool →

free

Email-auth scorecard (PDF)

1-page shareable PDF for any domain - grade, DMARC / SPF / DKIM / MTA-STS status, vendor exposure, top issues. Designed to travel in Slack and Teams. Hand it to your IT team or board.

open tool →

free

Audit workpaper templates

5 audit-binder-ready PDFs - email auth, TLS, vendor inventory, DNS governance, incident readiness. Live evidence pre-populated; sign-off rows ready for the auditor. Drop straight into your SOC 2 / PCI / B-13 attestation pack.

open tool →

What Pro adds on top.

Free covers the on-demand checks above. Pro turns the same engines into something you actually run a business on - hourly monitoring, alerts, history, evidence packs.

  • Continuous monitoring + alerts

    pro

    Saved domains re-check hourly. Alerts to Slack / Teams / Discord / webhook on regression. Per-endpoint filters - pager only gets cert expiry, #ops gets everything.

  • Layered threat-intel reputation

    pro

    Every monitored domain checked against malware feeds, active-threat IOC intel, IP abuse confidence, mail blocklists, registration age. Regression alerts when a clean domain becomes flagged.

  • Brand watchlist + phishing-kit fingerprinting

    pro

    Add brand keywords; we surface lookalike domains and fingerprint active phishing kits against a registry of known login-page favicons + titles (M365, Google, Apple, DocuSign). One-click takedown evidence pack.

  • Leak-site mentions of your apex

    pro

    We poll public ransomware / extortion aggregators every 15 minutes and match each victim post against your monitored apex. First-sight fires a critical alert with group name, post URL, and an AI-drafted IR runbook button.

  • Credentials at your apex in breach corpora

    pro

    Weekly polling of public breach-corpus indexes for new breaches containing addresses ending in your monitored apex. Privacy-first: never stores the leaked email addresses, only metadata + counts.

  • CVEs on the tech serving your apex

    pro

    We fingerprint the tech stack from your response headers (nginx, Apache, IIS, PHP, WordPress) and match newly-published high-severity CVEs against the detected versions. 6h poll cadence.

  • AI-assisted remediation + IR runbooks

    pro

    Stream a tailored fix plan when something is broken; AI-drafted incident response runbook on every leak-site / breach / CVE finding. 10/mo on Pro, 100/mo on MSP.

  • MSP add-ons

    msp

    Co-branded PDF reports, per-client alert routing, CSV bulk import / onboarding wizard, scheduled weekly client emails. Built for agencies running 30+ domains across multiple clients.

Plus snooze workflow, TOTP 2FA, audit log + scan history, REST API, custom HTTPS ports, vendor supply-chain monitoring, MX/NS hijack detection, subdomain drift + takeover-risk alerts, compliance evidence packs. See every feature on /pricing →

How it works

One-time setup. Continuous coverage. No agents to install.

  1. 01

    Add your domains + brand keywords

    Paste hostnames or import a CSV. Add brand keywords (e.g. "acme") to watch for lookalike domains. We auto-detect MX, NS, web endpoints, fingerprint your tech stack from response headers, and figure out what to watch.

  2. 02

    Continuous monitoring across every layer

    Posture (TLS / DMARC / DNS / headers / MTA-STS / subdomain drift) runs on your cadence - hourly on Starter+. Threat intel layers run continuously on Pro+ - all anchored on your monitored apex: leak-site mentions of your domain (15m polling), credential breaches at your domain, CVEs on the tech serving your domain, brand watchlist + phishing-kit fingerprinting, AI-drafted IR runbooks. No customer-side agents, no cloud-account integrations.

  3. 03

    Alerts before customers notice

    Cert expiring, DMARC drift, new subdomain, MX/NS hijack, your apex on a leak site, credentials at your apex breached, CVE on tech serving your apex, active phishing kit on a typosquat of your apex - 17 alert kinds, all anchored on monitored domains, routed per-endpoint to Slack / Teams / Discord / email / webhook with per-domain filters.

Pricing

Two products, priced separately.

Domain Monitor from $0 (1 domain, daily) · $30 Starter · $79 Pro · $349 Power User · $699 MSP · $3,995+ Enterprise. Postvale Extension separately - free trial, $15 Solo, $39 Team 10 through $549 Team 250. Buy what you use, ignore what you do not.

See full pricing →