Privacy controls
CyberFurl can load analytics only after you opt in. Core product features work without analytics consent.
This page describes what CyberFurl's DMARC, SPF, DKIM, and BIMI checks do, what they do not do, and the expectations we place on users who submit domains for scanning. Last updated April 24, 2026.
No message is sent, relayed, intercepted, or forwarded.
Results reflect public DNS state at scan time.
Scan domains you own, operate, or are explicitly authorized to assess.
Share this date during procurement or vendor review.
Overview
CyberFurl runs DNS-based checks that parse SPF, DKIM, DMARC, and BIMI records. These checks are informational and reflect public DNS posture, not live email flow.
CyberFurl retrieves publicly published DNS records (SPF TXT, DKIM selector TXT, DMARC _dmarc TXT, BIMI default._bimi TXT) for a submitted domain and parses the tags to present policy posture, alignment mode, and common misconfigurations. Results reflect public DNS state at the time of the scan and can become outdated between checks.
CyberFurl does not send, receive, relay, spoof, intercept, or forward email messages on behalf of a scanned domain. The product performs read-only DNS lookups and public HTTPS fetches of BIMI logo URLs. It does not probe, enumerate, or exploit third-party mail servers, and it does not attempt to bypass SPF, DKIM, or DMARC enforcement.
Users are expected to only scan domains they own, operate, or are explicitly authorized to assess. Submitting third-party domains for due-diligence reviews, partner assurance, or M&A assessments relies only on public DNS — no privileged access is required or used — but the responsibility for lawful and appropriate use remains with the requesting user or organization.
Results depend on the DNS resolvers and authoritative zones reachable at scan time. Transient resolver failures, split-horizon DNS, NXDOMAIN responses from intermediate CNAME chains, or aggressive TTL caching may produce incomplete or temporarily stale outputs. CyberFurl reports what it observed; it does not guarantee the end-to-end deliverability, authentication outcome, or enforcement behavior of any specific email message.
CyberFurl output is technical telemetry, not legal advice. It is not a substitute for a compliance assessment, audit, attestation, or regulatory filing. Where DMARC posture is used to support framework-specific obligations (NIS2, PCI-DSS, HIPAA, ISO 27001, SOC 2, GDPR, CCPA, or similar), the organization and its advisors remain responsible for interpretation and evidence sufficiency.
If you believe CyberFurl has misrepresented a record for a domain you control — or if you have received unwanted scan traffic and wish to verify — email abuse@cyberfurl.com with the domain, the approximate time, and (if available) the source IP. Corrections and opt-out requests are reviewed within a reasonable period.
Operational notes
These points address questions that come up during vendor review, procurement, and internal compliance discussions about email-authentication scanning.
CyberFurl never sends email as, to, or from a scanned domain. There is no SMTP relay, no connection to a third-party mail server, and no attempt to test deliverability by sending real messages.
Each scan is a snapshot. DNS changes, propagation delays, and resolver caches mean the same domain may produce different results across scans. Always check the timestamp on a scan before citing it in a report.
Users are responsible for having the authority to scan a given domain. CyberFurl does not require proof of ownership for read-only DNS checks, but enterprise controls (domain verification, team scoping, audit logs) are available to customers who need them.
Next step
Route accuracy concerns or unauthorized-scan reports to abuse@cyberfurl.com. For contractual or procurement questions about CyberFurl's scanning scope, use legal@cyberfurl.com.