AI tools, open to all.

Email spoofing is not a niche technical problem. Every day, organisations of all sizes have their domains impersonated to defraud customers, partners, and employees. The tools to stop this have existed for years: DMARC, SPF, DKIM, MTA-STS. The problem is that understanding and acting on them has always required either deep technical expertise or an expensive platform.

That is a barrier we think should not exist.

Why free tools matter

When we built ShieldMarc, we made a deliberate choice: the core diagnostic tools would be free, forever, for anyone. Not free as a lead magnet. Not free with a nag screen. Free because we believe that every organisation, regardless of size or budget, deserves to know whether their domain is protected.

A small charity with no IT department. A GP practice that has never heard of DMARC. A startup whose founder handles their own DNS. These are not edge cases. They are the majority of organisations that make up the digital landscape, and they are disproportionately targeted precisely because attackers know they are likely to be unprotected.

Removing the cost barrier is the first step. But cost is not the only barrier.

Why we layered AI on top

A DMARC checker that returns a raw record and a list of technical flags is not useful to most people. They know something is wrong. They do not know what it means, why it matters, or what to do next.

ShieldMarc is the first platform to offer free AI-powered email security tools with no account required. No trial. No credit card. No sign-up wall. You run a check, you get an AI explanation in plain English, immediately. We believe this is how it should always have been.

Every ShieldMarc tool that produces a result can now explain that result in plain English, tuned to what a non-technical reader actually needs to understand and act on. Not a wall of documentation. Not a ticket to a support team. An immediate, contextual explanation that sets a new standard for what a free tool can be.

The AI used for free tools runs entirely separately from ShieldMarc's internal monitoring platform. Free tool requests never touch customer data, monitoring records, or anything belonging to paying accounts. When you run a free check, the only information that leaves ShieldMarc is the publicly available DNS data for the domain you queried, processed to generate your explanation. No account, no identity, no private data.

The AI infrastructure we use contractually guarantees that data submitted for inference is never used to train AI models — by them or any third party. Your query is processed and discarded. We chose our AI provider specifically because that guarantee is part of the agreement, not a marketing claim in small print.

What the free tools do benefit from is the expertise our team has developed building and running the platform. The understanding of how real DMARC configurations behave, where they commonly fail, and what good enforcement actually looks like in practice is reflected in how we designed the AI explanations. This is our team's knowledge applied to the tool design, not automated mining of customer records. That is what separates a ShieldMarc explanation from a generic AI answering a technical question cold.

That said, AI can still interpret things incorrectly. We believe the explanations are highly accurate, but we are actively looking for errors and ways to improve. We say this clearly in the tool itself. The raw data is always there, below the explanation, for anyone who wants to verify it directly. And the “This looks wrong” button on every explanation feeds reports back to us so we can identify patterns and correct them. Accuracy is not a launch feature. It is an ongoing commitment.

Why the free tools cost almost nothing to run

A common assumption about free AI tools is that someone, somewhere, is subsidising them. Either paying customers are covering the cost, or the product is the data, or the free tier is a loss leader that disappears the moment investor patience runs out. None of those are true here, and the reason is engineering.

Significant engineering work happens before a scan result ever reaches the AI. The AI works with the minimum it needs to produce an accurate explanation, nothing more. Less input means lower cost and, more importantly, a more reliable result because the AI is working with clean signal rather than interpreting noise.

Explanations are intelligently cached so that repeated lookups for the same result are served instantly at zero AI cost. The system is designed to minimise unnecessary AI calls at every level. In practice, the vast majority of explanation requests cost nothing at all.

The numbers bear this out. Here is what each tool costs per 1,000 unique explanations at the AI level, before caching:

Not every explanation task needs the same model. DMARC interpretation involves branching rules around subdomain policy, alignment modes, and monitoring state, so it uses a more capable model. SSL, DNSSEC, and Security Grade results have simpler, more predictable structures and run on a lighter, faster model at a fraction of the cost. The blended average across all four tools reflects that routing decision.

To put that in context: 10,000 AI explanations served in a month costs under £1 once caching is applied. One hundred thousand costs around £5. Even at one million requests the cost is under £50. These are not costs that require cross-subsidisation from paying customers. They are costs that operational efficiency alone can carry, many times over.

That matters for a specific reason. When a free product depends on paid customers to cover its losses, the incentive to keep it free eventually disappears. We designed the free tier so that it does not create that pressure. It stands on its own, and that means we can commit to keeping it free without qualifying that commitment.

How we protect against abuse

Low cost does not mean zero cost, and free tools will always attract automated abuse. A single bad actor hammering an endpoint with thousands of requests could spike costs and degrade the experience for everyone else. We take that seriously, and it is addressed at multiple layers.

AI explanation requests are rate limited per IP address. Legitimate users running manual checks will never notice this. Automated scripts attempting to scrape or abuse the endpoint will hit the limit quickly and be blocked. The limit is deliberately generous enough that a small team checking several client domains in a session is never affected, but tight enough that bulk automated use is not economically viable.

Beyond the AI-specific limit, all API routes sit behind a global rate limiter that operates at the infrastructure level, before requests ever reach application code. This catches volume-based attacks that spread across endpoints rather than hammering a single one. Security events, including blocked requests, are logged for review so we can identify and respond to new patterns of abuse as they emerge.

The result is that the costs in the table above reflect legitimate usage, not worst-case abuse scenarios. Rate limiting is what makes those numbers meaningful. Without it, the economics of free tools break down. With it, the free tier remains stable, fair, and sustainable for everyone who uses it honestly.

The line between free and paid

Free tools answer a question in the moment. They tell you where you stand right now, for one domain, on demand.

The ShieldMarc platform does something different. It watches continuously. It alerts you when something changes. It tracks DMARC report data across hundreds of domains so an MSP can see at a glance which clients are exposed, which are drifting, and which need attention before a problem becomes an incident. It generates prioritised to-do lists, change history, and threat intelligence.

That is not a tool. That is infrastructure. And infrastructure has a cost that we do not pretend away.

The distinction is honest: free tools for anyone who wants them, professional monitoring for teams that need it. We think that is a fair line, and we are committed to keeping it there.

What we are building toward

Our goal is not to be another security vendor. Our goal is to make email spoofing genuinely hard to pull off, across as many domains as possible, by making protection accessible rather than exclusive.

Every domain that moves from no DMARC to enforcement is a domain that cannot be trivially impersonated. Every organisation that understands their SPF record is one less organisation whose suppliers will receive a convincing fake invoice. These are not abstract outcomes. They are measurable, concrete improvements to the security of email as an infrastructure.

We are a small team. We are not the biggest platform in this space. But we think being right about the mission matters more than being the biggest name in it, and we are committed to building something that earns trust rather than demands it.

If that sounds like the kind of tool you want to support, or the kind of platform you want to run your clients on, we would like to hear from you.