DMARCbis-ready · The 2026 standard

Trust

Trust the behavior,
not the badges.

What we can see, what we store, how changes stay reversible, and what happens when something goes wrong. In plain terms, with the receipts linked.

We never see your mail.

The product runs on DMARC aggregate reports: counts and authentication results receivers publish about your domain. No mailbox access, no message content, ever.

Credentials are hashed, not stored.

API keys and MCP tokens are SHA-256 hashed at rest and shown once at mint. Revocation is instant: every call re-checks the key's live permissions.

DNS changes have a safety net.

Every automated DNS write is staged with a five-minute hold, an email record, a 24-hour undo, and a read-back check. Nothing touches your zone silently.

Audited vendors underneath.

Data lives on Cloudflare and Neon (both SOC 2 Type II), auth runs on Clerk, payments on Stripe. We publish who processes what, and we hold no card data ourselves.

AI with zero data retention.

The AI features run under a zero-data-retention agreement with the model vendor: your report data is not retained or used for training.

Every action is on the record.

Workspace changes land in an audit log with provenance: a human click, an API key, an MCP token, or a Slack approval each show up as exactly what they were.

Read the paper trail

Found something? security@trustyourinbox.com reaches a human, and the bounty program pays for it.