Red Sift OnDMARC: The best Agari alternative for DMARC

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place. 

Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market. 

Red Sift OnDMARC overview

Red Sift OnDMARC is an award-winning, automated DMARC application that helps organizations stop exact domain impersonation and business email compromise (BEC) attacks. It helps brands get to DMARC enforcement (p=reject) quickly and effectively by providing step-by-step implementation guidance, simplified DKIM and SPF management, as well as clear, easy-to-understand DMARC reports and dashboards that provide deep insight into organizational email-sending services and domain health.

From November 2023, Red Sift is the new partner for Cisco Domain Protection.

Agari overview

Fortra Agari’s DMARC Protection is a DMARC authentication and monitoring solution. According to their website, it helps “organizations to protect their customers and partners from email attacks that hijack their brand through authentication, conformance, and reporting & analytics”. Agari was acquired by global cybersecurity company Fortra in 2021.

The comparison tl;dr

While Red Sift OnDMARC and Agari DMARC Protection are both designed to help security teams take control of their email-sending services and protect their domains from exact domain impersonation, their key differences lie in their target audiences, feature sets, speed to enforcement, and wider portfolio.

Red Sift OnDMARC makes it easy to audit your existing email-sending environment, troubleshoot your setup with Investigate, and automate the management of DMARC, DKIM, SPF and MTA-STS with Dynamic Services. Thanks to these time-saving features, time to DMARC enforcement is expedited with Red Sift customers touting a 6-8 week average. In addition, Red Sift’s hosted BIMI is the only end-to-end BIMI solution on the market with integrated VMC provisioning. 

Red Sift OnDMARC caters to leading organizations across industries including Legal, Retail, Financial Services, Healthcare, and Technology. OnDMARC is the DMARC vendor of choice for 1,000+ global enterprises including Capgemini, Domino’s, ZoomInfo, Athletic Greens, Telefonica, and Wise.

You can sign up for an OnDMARC 14-day free trial with access to all features from the Red Sift website.

Agari is a consultant-led, enterprise-level DMARC provider. It is not geared towards SMBs. It boasts big-name brands including Adobe, Blue Cross, and Upwork, and is a particularly popular tool of choice for the Financial Services industry, which makes up half of its customer base

Agari DMARC Protection offers a variety of enterprise-level features such as Hosted SPF, forensic reporting, and in-depth reporting capabilities. It lacks integrated BIMI with VMC, hosted MTA-STS, and troubleshooting tools. 

You cannot sign up for a free trial of Agari DMARC Protection from their website.

Red Sift OnDMARC 
Agari DMARC Protection
Average time to enforcement
Reporting (aggregate and forensic)
Dynamic SPF
✅ (macro-based)
Hosted MTA-STS
Hosted BIMI with VMC integration
Hosted DKIM
Investigate tool
APIs
Third-party threat data (e.g. Spamhaus)
Customer Success Engineer included at Enterprise level

Let’s get into the nitty-gritty of how these two applications compare 👇

Ease of provisioning

DMARC can be a complicated and error-prone security protocol to understand and implement. This makes effective technology and robust provisioning all the more important.

Red Sift OnDMARC

Getting started 

After signing up for OnDMARC’s free trial, users land in the ‘My domains’ view. This provides an overview of the organizational domain estate and the various factors contributing to its health, such as:

  • DMARC – shows the DMARC record status
  • SPF – shows the SPF record status
  • BIMI – shows the chosen logo if domain is configured for BIMI

To get set up, users need to run through a three-step workflow to get the domains they want to protect into the application. The application will prompt the user to select whether they want to set up Dynamic Services or opt to manage DMARC manually. Dynamic Services allows for hosted management of all email records without the need to access the DNS, helping to avoid making manual configuration errors.

Once the necessary changes have been made to add the DMARC record to the user’s DNS, they must wait for DMARC reports to arrive from the mailbox providers who send them.

Configuration troubleshooting

DMARC reports can take up to 24 hours to arrive which is one of the reasons that DMARC projects can be time-consuming.


What makes Red Sift OnDMARC unlike any other tool on the DMARC market is its Investigate feature. It allows users to test configuration updates in real-time rather than waiting for DMARC data to come over 24 hours, drastically reducing the time needed for a DMARC project and speeding up the time required until full protection is reached. It also ties in with your Email Sources asset list so you can see which app is using which SPF mechanism and DKIM selector, and if they’re properly authenticated.

Management of email records

Standard DNS implementations of SPF, DKIM, DMARC and MTA-STS all suffer from the same problems – they are difficult to edit and error-prone, especially if you control multiple domains across multiple registrars.

Red Sift OnDMARC’s Dynamic Services solves this problem by allowing its users to control all of their records from within the OnDMARC app, avoiding the need to go into the DNS whenever updates need to be made to records. This is done by replacing the static DNS records with OnDMARC’s smart records, either via NS delegation for DKIM and DMARC or a new smart TXT record for SPF.

Dynamic Services allows users to add additional SPF mechanisms, change their DMARC policy, or host 2048-bit DKIM keys that some DNS hosts do not support.

SPF management

OnDMARC’s Dynamic SPF feature helps its user overcome the 10 SPF lookup limit by combining all authorized services in a single dynamic include. This prevents any authorized traffic from failing SPF validation and ensures uninterrupted mail flow. 

Red Sift OnDMARC allows users to add any include mechanism for any provider, meaning they are not limited to preconfigured assets like they are with some other DMARC providers. When a new source needs SPF configuring can be managed with a single click. 

Dynamic SPF is not a macro-based SPF solution. Instead, it dynamically flattens and compacts IP records. Though macros are widely used, they are not supported by some legacy email infrastructure which results in the entire SPF authentication failing and mail not being delivered. For this reason, Red Sift OnDMARC was built to support but not rely on macros, thus ensuring 100% compatibility with all legacy email structures, gateways, and receivers meaning email deliverability is never impacted. 

Agari

Getting started 

Agari DMARC Protection does not cater to self-service users as a free trial is not available and documentation is only available with the Premium Services offering. 

Configuration troubleshooting

Agari DMARC Protection does not offer a troubleshooting tool. Users are required to wait up to 24 hours for DMARC reports to arrive before they can begin remediating issues uncovered in the reports.

Email record management

Agari allows you to host your SPF, DMARC and BIMI records and configure your policies from within its platform. At the time of publication, Agari does not allow API access to programmatically modify those values. However, they do have the ability to designate a source across multiple domains, making it easy to manage a single source across many domains.

SPF management

Agari has two options when it comes to SPF. One is their EasySPF feature, which inventories domains, associates approved ones with each domain, and builds SPF records. It is important to note that this option is not a dynamic feature so will not help you overcome to 10 SPF lookup limit.

The other option is Agari’s Hosted SPF, Agari’s dynamic, macro-based SPF solution that helps organizations with the 10 SPF lookup limit. This is where “Agari hosts the SPF record [to] completely take over the DMARC authentication process for all senders, including third-party ones.” Agari claims that this approach “means with a simple DNS change, companies are relieved from the burden of doing it themselves and ensured that the job is done correctly”. 

Having a DMARC vendor take over the management of records can be preferable for businesses that prefer a managed service and are happy to hand over control of their email security setup. However, it is important to note that with this approach, there’s no easy way to know what trusted sources you have defined, what includes Agari has in its platform, or whether they are accurate. This can make it difficult to export records at a later date if you are switching providers, for example. 

When it comes to adding providers to Agari’s Hosted SPF, they split between their “well-known services” and “custom senders”. If the sender you wish to add is not in their database, you must add the IPs manually. Unfortunately, most vendors won’t tell you if they change their IP range as they expect you to use their include which makes this job difficult. 

Hosted MTA-STS

Mail Transfer Agent Strict Transport Security (MTA-STS) ensures the secure transmission of emails over an encrypted SMTP connection and stops man-in-the-middle (MITM) attacks. 

Red Sift OnDMARC

Hosted MTA-STS is offered in OnDMARC’s Dynamic Services interface. OnDMARC will host the MTA-STS policy file, maintain the SSL certificate, and flag any policy violations through the TLS report.

Agari

Agari DMARC Protection does not offer hosted MTA-STS.

BIMI

Brand Indicators for Message Identification (BIMI) lets organizations display their brand logo next to every DMARC-authenticated email they send. Studies have shown that BIMI can improve open rates by 39% and increase brand recall by 44%.

Red Sift OnDMARC

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI and Verified Mark Certificate (VMC) solution available on the market. It helps users take care of their BIMI application end to end, including the obtainment of a VMC without having to go directly to the Certificate Authority (CA).

Red Sift OnDMARC has a direct integration with Entrust, the CA that issues VMCs. Application data is transferred between Red Sift and Entrust via API and once processed, Red Sift issues the VMC and gets the customer BIMI-ready.

Red Sift OnDMARC is Entrust’s preferred DMARC partner. In fact, it is the only DMARC solution using Entrust’s API. 

Another advantage of using OnDMARC’s BIMI feature is that a free VMC license is included in its Enterprise tier so organizations don’t need to secure additional budget for BIMI.

Agari

Agari offers Hosted BIMI within DMARC Protection. They will offer to host the BIMI record and your logo once you’ve got it from a CA. To the author’s knowledge, Agari DMARC Protection does not assist with VMC issuance. 

Alerting and notifications

Strong alerting capabilities allow organizations to quickly respond to potential threats, minimizing the impact of phishing and other malicious activities.

Red Sift OnDMARC

OnDMARC’s Notifications feature lets you set up daily or weekly Compliance reports, Action Reminders, and Configuration Alerts to an email or Slack channel of your preference. 

The reports and alerts include:

  • Compliance Reports – round up the volume of passed, quarantined and rejected mail for the domains specified in the report 
  • Actions Reminders – a list of outstanding actions for the domains specified in the report
  • Configuration Alerts – these include senders with a bad reputation sending on behalf of your domain, known services sending on behalf of your domain, and if an asset’s compliance level drops off significantly (indicating a configuration problem)

Agari DMARC Protection

Agari DMARC Protection has robust Alerting and Notification functionality. It provides a lot of information on changes happening across an organization’s email-sending setup, for example, any changes to DKIM and/or SPF records, spikes in threats, and new sender alerts to name a few.

Customer Success

Another key factor to consider in a DMARC project is the time needed to attain full protection quickly and safely. In a world where cyber attacks are relentless, speed is critical. Leveraging a vendor’s Customer Success team can help ensure rapid progress towards enforcement.

Red Sift OnDMARC

A major difference between Red Sift’s OnDMARC and Agari DMARC Protection is that support from the Red Sift Customer Success Engineering (CSE) team is included at the Enterprise level. The team offers global coverage and prides itself on deep technical expertise for all email authentication standards.

Red Sift CSEs are trained and experienced in the most complex DMARC implementations at companies like Capgemini, Biogen, ZoomInfo, and Telefonica, amongst others. Red Sift’s Customer Success is highly regarded by its enterprise customers, including Holland and Barrett, ZoomInfo, and TalkTalk

The quality of Red Sift’s Customer Success is reflected in their high feedback scores; 62 for NPS and 88 for CSAT. This is one of the main reasons Cisco selected Red Sift OnDMARC as its DMARC solution of choice.

Agari

Agari’s Support page claims that “all Agari product subscriptions include complementary Onboarding and Enablement, Training, a Customer Success Manager, and Customer Support.” However, several benefits are only included if you pay for the separate Premium Services offering, such as full access to documentation, a dedicated CSE, quarterly customer support views, or annual system health checks.

According to a Forrester report, for a significant brand that sends 100 million emails annually, “the cost to set up Agari required 50% of the time of three full-time equivalents (FTEs) over six months” totaling $94,500. 

Integrating with your stack: APIs and integrations

OnDMARC

OnDMARC has a REST API that can be used to integrate with custom dashboards and other internal systems. All endpoints are documented here with working examples. Capabilities managing Dynamic Services, creating customer charts from reporting data, adding and removing domains, configuring alerts, or analyzing any domain programmatically.

Agari

Agari’s API integration enables Auditing Users and Domains, Reporting on Policy Enforcement, Analyzing Failures in a SIEM, and Configuring Alerts. You cannot manage your SPF, DKIM, or DMARC records programmatically.

Sharing email intelligence with other tools

OnDMARC

Red Sift OnDMARC has access to a Spamhaus data feed that flags bad actors as well as legitimate sources that may be getting flagged and causing deliverability issues. It also has an integration with Validity whose data feeds enhance Red Sift’s ability to monitor brand spoofing and phishing for customer domains as they relate to DMARC.

Red Sift and Agari are the only two DMARC vendors who boast the Yahoo forensics feed that enhances forensic reporting. 

Red Sift OnDMARC is one of four interoperable products on the Red Sift Pulse Platform. OnDMARC and Brand Trust, Red Sift’s impersonation discovery application, sync to automatically add your domain assets into Brand Trust and then start looking for similar domains that may be impersonating your brand.

Agari

Agari DMARC Protection is the only DMARC vendor to share threat feeds with Azure Sentinel to triage threats and generate SOC efficiencies. They can also integrate with Cisco Talos and other thread feed providers to feed suspicious URLs found in Forensic messages.

As mentioned above, Agari is the only vendor besides Red Sift that has access to the Yahoo forensics feed.

While Agari DMARC Protection is a standalone DMARC product, its parent company Fortra has acquired a host of other popular cybersecurity solutions. 

So, which one to choose?

Deciding between Red Sift OnDMARC and Agari ultimately comes down to the business problems you are looking to solve.

Suppose you are an enterprise customer embarking on a DMARC implementation with no need for BIMI or MTA-STS and a healthy budget for Professional Services. In that case, Agari is the vendor to consider. If you’re a small business or an enterprise seeking a DMARC product that has some of the most advanced DMARC capabilities on the market, and partnerships with industry giants like Cisco and Microsoft, Red Sift offers a solid path forward.

Learn more about Red Sift OnDMARC here.

PUBLISHED BY

Francesca Rünger-Field

27 Feb. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Email

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more