Red Sift OnDMARC: The best Agari alternative for DMARC

Last updated: October 2024

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place. 

Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market. 

Red Sift OnDMARC overview

Red Sift OnDMARC is an award-winning, automated DMARC application that helps organizations stop exact domain impersonation and business email compromise (BEC) attacks. It helps brands get to DMARC enforcement (p=reject) quickly and effectively by providing step-by-step implementation guidance, simplified DKIM and SPF management, as well as clear, easy-to-understand DMARC reports and dashboards that provide deep insight into organizational email-sending services and domain health.

From November 2023, Red Sift is the new partner for Cisco Domain Protection.

Agari DMARC Protection overview

Fortra Agari’s DMARC Protection is a DMARC authentication and monitoring solution. According to their website, it helps “organizations to protect their customers and partners from email attacks that hijack their brand through authentication, conformance, and reporting & analytics”. Agari was acquired by global cybersecurity company Fortra in 2021.

The comparison tl;dr

While Red Sift OnDMARC and Agari DMARC Protection are both designed to help security teams take control of their email-sending services and protect their domains from exact domain impersonation, their key differences lie in their target audiences, feature sets, speed to enforcement, and wider portfolio.

Red Sift OnDMARC makes it easy to audit your existing email-sending environment, troubleshoot your setup with Investigate, and automate the management of DMARC, DKIM, SPF and MTA-STS with Dynamic Services. Thanks to these time-saving features, time to DMARC enforcement is expedited with Red Sift customers touting a 6-8 week average. In addition, Red Sift’s hosted BIMI is the only end-to-end BIMI solution on the market with integrated VMC provisioning. Additionally, OnDMARC uniquely bridges the gap between DMARC and DNS to prevent domain takeovers like SubdoMailing, thereby mitigating the risks of spam and impersonation.

Red Sift OnDMARC caters to leading organizations across industries including Legal, Retail, Financial Services, Healthcare, and Technology. OnDMARC is the DMARC vendor of choice for 1,000+ global enterprises including Capgemini, Domino’s, ZoomInfo, Athletic Greens, Telefonica, and Wise.

You can sign up for an OnDMARC 14-day free trial with access to all features from the Red Sift website.

Agari is a consultant-led, enterprise-level DMARC provider. It is not geared towards SMBs. It boasts big-name brands including Adobe, Blue Cross, and Upwork, and is a particularly popular tool of choice for the Financial Services industry, which makes up half of its customer base

Agari DMARC Protection offers a variety of enterprise-level features such as Hosted SPF, forensic reporting, and in-depth reporting capabilities. It lacks integrated BIMI with VMC, hosted MTA-STS, and troubleshooting tools. 

You cannot sign up for a free trial of Agari DMARC Protection from their website.

Red Sift OnDMARC 
Agari DMARC Protection
Average time to enforcement
Reporting (aggregate and forensic)
Dynamic SPF
✅ (macro-based)
Hosted MTA-STS
Hosted BIMI with VMC integration
Hosted DKIM
Investigate tool
DNS configuration monitoring
Embedded LLM assistant
APIs
Third-party threat data (e.g. Spamhaus)
Customer Success Engineer included at Enterprise level

Let’s get into the nitty-gritty of how these two applications compare 👇

Ease of provisioning

DMARC can be a complicated and error-prone security protocol to understand and implement. This makes effective technology and robust provisioning all the more important.

Red Sift OnDMARC

Getting started 

After signing up for OnDMARC’s free trial, users land in the ‘My domains’ view. This provides an overview of your organization’s domain estate and the various factors contributing to its health, such as the DMARC, SPF, MTA-STS, and BIMI statuses.

To get set up, users need to run through a quick three-step workflow to get the domains they want to protect into the application. The application will prompt the user to select whether they want to set up Dynamic Services or opt to manage DMARC manually. Dynamic Services allows for hosted management of all email records without the need to access the DNS, helping to avoid making manual configuration errors.

If you choose to use Dynamic Services, OnDMARC will provide the records you need to add to your DNS in order to start setting up Dynamic Services. If you opt for manual management, OnDMARC will provide the DMARC record for you to add to your DNS. 

Once the necessary changes have been made to add the DMARC record to the user’s DNS, they must wait for DMARC reports to arrive from the mailbox providers who send them.

Configuration troubleshooting

DMARC reports can take up to 24 hours to arrive which is one of the reasons that DMARC projects can be time-consuming.

What makes Red Sift OnDMARC unlike any other tool on the DMARC market is its Investigate feature. It allows users to test configuration updates in real-time rather than waiting for DMARC data to come over 24 hours, drastically reducing the time needed for a DMARC project and speeding up the time required until full protection is reached.

Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable.

Check your DMARC record and other key protocols now

It also ties in with your Email Sources asset list so you can see which app is using which SPF mechanism and DKIM selector, and if they’re properly authenticated.

In addition to Investigate’s troubleshooting capabilities for DMARC implementations, it also features a number of Compliance Profiles that you can check your sending services against to make sure they’re compliant with the UK Minimum Cyber Security Standard, US Binding Operational Directive 18-01, or Google and Yahoo’s Bulk Sending requirements.

Inventory of email assets

Red Sift OnDMARC’s Email Sources view provides a comprehensive inventory of assets per domain. It enables you to categorize email-sending sources as assets or threats, store SPF components and DKIM selectors for each source, and document key details during DNS configuration. This feature not only ensures you maintain an always up-to-date inventory, but also allows you to leave notes on internal ownership of each service. By keeping this information within the product, teams are equipped with continuity – ensuring that if team members leave, join, or take over the DMARC project, critical information remains easily accessible.

Management of email records

Standard DNS implementations of SPF, DKIM, DMARC and MTA-STS all suffer from the same problems – they are difficult to edit and error-prone, especially if you control multiple domains across multiple registrars.

Red Sift OnDMARC’s Dynamic Services solves this problem by allowing its users to control all of their records from within the OnDMARC app, avoiding the need to go into the DNS whenever updates need to be made to records. This is done by replacing the static DNS records with OnDMARC’s smart records, either via NS delegation for DKIM and DMARC or a new smart TXT record for SPF.

Dynamic Services allows users to add additional SPF mechanisms, change their DMARC policy, or host 2048-bit DKIM keys that some DNS hosts do not support.

SPF management

OnDMARC’s Dynamic SPF feature helps its user overcome the 10 SPF lookup limit by combining all authorized services in a single dynamic include. This prevents any authorized traffic from failing SPF validation and ensures uninterrupted mail flow. 

Red Sift OnDMARC allows users to add any include mechanism for any provider, meaning they are not limited to preconfigured assets like they are with some other DMARC providers. When a new source needs SPF configuring can be managed with a single click. 

Dynamic SPF is not a macro-based SPF solution. Instead, it dynamically flattens and compacts IP records. Though macros are widely used, they are not supported by some legacy email infrastructure which results in the entire SPF authentication failing and mail not being delivered. For this reason, Red Sift OnDMARC was built to support but not rely on macros, thus ensuring 100% compatibility with all legacy email structures, gateways, and receivers meaning email deliverability is never impacted. 

Dynamic SPF also makes it easy to clean up or remove unused or redundant mechanisms that are no longer necessary or needed. As shown in the Activity column above, OnDMARC tracks if a mechanism is active or not based on the info found in DMARC reports.

Agari DMARC Protection

Getting started 

To get started, you need to run through a short workflow to add your domains to Agari’s system. You will be prompted to set the Agari policy level and mark your domains as defensive, third-party, or primary.

Once these steps are complete, Agari states it “will verify that your organization is responsible for these domains, which may take up to 24 hours.” This verification step adds extra time to the implementation process, though it can be worked around by adding the DMARC record for your domain to your DNS. Unlike Red Sift OnDMARC, which provides these records as part of the onboarding flow, Agari DMARC Protection requires users to manually build them using the DMARC Builder tool.

Inventory of email assets

Agari recommends creating an external spreadsheet to track your senders, stating, “You’ll use the information in this spreadsheet to create the SPF records and DKIM keys needed for proper authentication, as well as to communicate the status of your authentication project internally.” However, this approach introduces potential risks, such as inconsistent updates, version control issues, and reliance on manual processes, which can lead to errors or missing information as teams change or the project scales.

Configuration troubleshooting

Agari DMARC Protection does not offer a troubleshooting tool. Users are required to wait up to 24 hours for DMARC reports to arrive before they can begin remediating issues uncovered in the reports.

Email record management

Agari allows you to host your SPF, DMARC and BIMI records and configure your policies from within its platform. At the time of publication, Agari does not allow API access to programmatically modify those values. However, they do have the ability to designate a source across multiple domains, making it easy to manage a single source across many domains.

SPF management

Agari has two options when it comes to SPF. One is their EasySPF feature, which inventories senders, associates approved ones with each domain, and builds SPF records. It is important to note that this option is not a dynamic feature so will not help you overcome to 10 SPF lookup limit.

The other option is Agari’s Hosted SPF, Agari’s dynamic, macro-based SPF solution that helps organizations with the 10 SPF lookup limit. This is where “Agari hosts the SPF record [to] completely take over the DMARC authentication process for all senders, including third-party ones.” Agari claims that this approach “means with a simple DNS change, companies are relieved from the burden of doing it themselves and ensured that the job is done correctly”. 

Having a DMARC vendor take over the management of records can be preferable for businesses that prefer a managed service and are happy to hand over control of their email security setup. However, it is important to note that with this approach, there’s no easy way to know what trusted sources you have defined, what includes Agari has in its platform, or whether they are accurate. This can make it difficult to export records at a later date if you are switching providers, for example. 

When it comes to adding providers to Agari’s Hosted SPF, they split between their “well-known services” and “custom senders”. If the sender you wish to add is not in their database, you must add the IPs manually. Unfortunately, most vendors won’t tell you if they change their IP range as they expect you to use their include which makes this job difficult. 

Hosted MTA-STS

Mail Transfer Agent Strict Transport Security (MTA-STS) ensures the secure transmission of emails over an encrypted SMTP connection and stops man-in-the-middle (MITM) attacks. 

Red Sift OnDMARC

Hosted MTA-STS is offered in OnDMARC’s Dynamic Services interface. OnDMARC will host the MTA-STS policy file, maintain the SSL certificate, and flag any policy violations through the TLS report.

Agari DMARC Protection

Agari DMARC Protection does not offer hosted MTA-STS.

BIMI

Brand Indicators for Message Identification (BIMI) lets organizations display their brand logo next to every DMARC-authenticated email they send. Studies have shown that BIMI can improve open rates by 39% and increase brand recall by 44%.

Red Sift OnDMARC

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI and Verified Mark Certificate (VMC) solution available on the market. It helps users take care of their BIMI application end to end, including the obtainment of a VMC – and soon, Common Mark Certificates (CMCs) – without having to go directly to the Certificate Authority (CA).

Red Sift OnDMARC has a direct integration with Entrust, the CA that issues VMCs. Application data is transferred between Red Sift and Entrust via API and once processed, Red Sift issues the VMC and gets the customer BIMI-ready.

Red Sift OnDMARC is Entrust’s preferred DMARC partner. In fact, it is the only DMARC solution using Entrust’s API. 

Another advantage of using OnDMARC’s BIMI feature is that a free VMC license is included in its Enterprise tier so organizations don’t need to secure additional budget for BIMI.

Agari DMARC Protection

Agari offers Hosted BIMI within DMARC Protection. They will offer to host the BIMI record and your logo once you’ve got it from a CA. To the author’s knowledge, Agari DMARC Protection does not assist with VMC issuance. 

DNS configuration monitoring

Traditionally DMARC products focus on email authentication and do not include DNS configuration monitoring. However, given the rise in SubdoMailing attacks – where attackers exploit misconfigured or deprovisioned subdomains to send “authenticated” spam – vendors offering this functionality provide a crucial and innovative layer of security.

Red Sift OnDMARC 

With Red Sift OnDMARC’s DNS Guardian, security teams can swiftly identify and stop malicious mail that bypasses DMARC, including spam from domain takeovers, SubdoMailing attacks, dangling DNS, and CNAME takeovers.

Through its deep expertise in DNS and by leveraging Red Sift ASM’s continuously updated inventory of public-facing assets, Red Sift is the only DMARC provider that can surface the level of domain detail required to prevent takeover attacks like SubdoMailing. 

Agari DMARC Protection

Agari does not offer DNS configuration monitoring.

Embedded LLM assistant

LLMs and AI assistants like GPT-4 offer immense value by providing quick answers and troubleshooting help. However, for security teams, the challenge lies in the fact that these tools often aren’t embedded within their existing workflows or trained on cybersecurity-specific intelligence, limiting their accuracy and reliability in this context. So, when vendors integrate this cutting-edge technology into security workflows, it becomes a significant value add, saving time and streamlining workflows. 

Red Sift OnDMARC

Unique to OnDMARC is its seamless integration with Red Sift Radar, making it the first DMARC application with an embedded, upskilled LLM. Radar flags misconfigurations, syntax errors, and exposures across your email system that could compromise email system integrity. For those implementing DMARC, this feature accelerates issue detection and supports quicker progression to DMARC enforcement (p=reject), ensuring robust email security policies are enforced effectively.

Agari DMARC Protection

At the time of publication, Agari DMARC Protection does not offer an LLM or an AI assistant. 

Alerting and notifications

Strong alerting capabilities allow organizations to quickly respond to potential threats, minimizing the impact of phishing and other malicious activities.

Red Sift OnDMARC

OnDMARC’s Notifications feature lets you set up daily or weekly Compliance reports, Action Reminders, and Configuration Alerts to an email or Slack channel of your preference. 

The reports and alerts include:

  • Compliance Reports – round up the volume of passed, quarantined and rejected mail for the domains specified in the report 
  • Actions Reminders – a list of outstanding actions for the domains specified in the report
  • Configuration Alerts – these include senders with a bad reputation sending on behalf of your domain, known services sending on behalf of your domain, and if an asset’s compliance level drops off significantly (indicating a configuration problem)

Agari DMARC Protection

Agari DMARC Protection has robust Alerting and Notification functionality. It provides a lot of information on changes happening across an organization’s email-sending setup, for example, any changes to DKIM and/or SPF records, spikes in threats, and new sender alerts to name a few.

Customer Success

Another key factor to consider in a DMARC project is the time needed to attain full protection quickly and safely. In a world where cyber attacks are relentless, speed is critical. Leveraging a vendor’s Customer Success team can help ensure rapid progress towards enforcement.

Red Sift OnDMARC

A major difference between Red Sift’s OnDMARC and Agari DMARC Protection is that support from the Red Sift Customer Success Engineering (CSE) team is included at the Enterprise level. The team offers global coverage and prides itself on deep technical expertise for all email authentication standards.

Red Sift CSEs are trained and experienced in the most complex DMARC implementations at companies like Capgemini, Biogen, ZoomInfo, and Telefonica, amongst others. Red Sift’s Customer Success is highly regarded by its enterprise customers, including Holland and Barrett, ZoomInfo, and TalkTalk

The quality of Red Sift’s Customer Success is reflected in their high feedback scores; 62 for NPS and 88 for CSAT. This is one of the main reasons Cisco selected Red Sift OnDMARC as its DMARC solution of choice.

Agari DMARC Protection

Agari’s Support page claims that “Fortra Email Security customers have a variety of support options, including a robust customer portal, online support forum, email, phone, or chat assistance”. However, several benefits are only included if you pay for the separate Premium Services offering, such as a dedicated Professional Services Consultant, quarterly customer support reviews, or annual system health checks.

While the documentation isn’t directly accessible from the Agari support page, with some navigation, the Forta support page reveals a comprehensive User Guide for Agari DMARC Protection.
Agari does not disclose pricing information on its website. However, according to a Forrester report, for a significant brand that sends 100 million emails annually, “the cost to set up Agari required 50% of the time of three full-time equivalents (FTEs) over six months” totaling $94,500.

Integrating with your stack: APIs and integrations

Red Sift OnDMARC

OnDMARC has a REST API that can be used to integrate with custom dashboards and other internal systems. All endpoints are documented here with working examples. Capabilities managing Dynamic Services, creating customer charts from reporting data, adding and removing domains, configuring alerts, or analyzing any domain programmatically.

Agari DMARC Protection

Agari’s API integration enables Auditing Users and Domains, Reporting on Policy Enforcement, Analyzing Failures in a SIEM, and Configuring Alerts. You cannot manage your SPF, DKIM, or DMARC records programmatically.

Sharing email intelligence with other tools

Red Sift OnDMARC

Red Sift OnDMARC has access to a Spamhaus data feed that flags bad actors as well as legitimate sources that may be getting flagged and causing deliverability issues. It also has an integration with Validity whose data feeds enhance Red Sift’s ability to monitor brand spoofing and phishing for customer domains as they relate to DMARC.

Red Sift and Agari are the only two DMARC vendors who boast the Yahoo forensics feed that enhances forensic reporting. 

Red Sift OnDMARC is one of four interoperable products on the Red Sift Pulse Platform. OnDMARC and Brand Trust, Red Sift’s impersonation discovery application, sync to automatically add your domain assets into Brand Trust and then start looking for similar domains that may be impersonating your brand.

Agari DMARC Protection

Agari DMARC Protection is the only DMARC vendor to share threat feeds with Azure Sentinel to triage threats and generate SOC efficiencies. They can also integrate with Cisco Talos and other thread feed providers to feed suspicious URLs found in Forensic messages.

As mentioned above, Agari is the only vendor besides Red Sift that has access to the Yahoo forensics feed.

While Agari DMARC Protection is a standalone DMARC product, its parent company Fortra has acquired a host of other popular cybersecurity solutions. 

So, which one to choose?

Deciding between Red Sift OnDMARC and Agari DMARC Protection ultimately comes down to the business problems you are looking to solve.

Suppose you are an enterprise customer embarking on a DMARC implementation with no need for BIMI or MTA-STS and a healthy budget for Professional Services. In that case, Agari is the vendor to consider.

However, if your business (whether small, mid-market, or enterprise) is seeking a DMARC product that has some of the most advanced DMARC capabilities on the market, and partnerships with industry giants like Cisco and Microsoft, Red Sift offers a solid path forward.

Learn more about Red Sift OnDMARC here.

PUBLISHED BY

Francesca Rünger-Field

27 Feb. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more
DMARC

Mail Check is changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more