← All articles

How I built an email security SaaS

· 6 min

Email deliverability is one of the most frustrating problems in IT. You send an email, it doesn't arrive, and there's no clear error message. Or worse: it lands in spam at Gmail and nobody tells you why.

After years of helping businesses with exactly this problem, I decided to build MailShield: a platform that monitors all 8 critical email security protocols from a single dashboard.

The problem with email security

Most businesses have SPF and DKIM configured correctly. But that's just the beginning. A typical DNS configuration for email looks like this: 

; SPF - who is allowed to send mail
example.com.  TXT  "v=spf1 include:_spf.google.com ~all"

; DKIM - cryptographic signature
selector._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGf..."

; DMARC - policy on failures
_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

This is the baseline. But there are 5 more protocols that most businesses miss:

  • MTA-STS enforces TLS for incoming mail. Without it, an attacker can intercept your mail via a downgrade attack.
  • TLS-RPT reports on TLS negotiation failures. Without it, you don't know there are problems.
  • BIMI shows your company logo in the inbox. Requires a VMC certificate and properly configured DMARC.
  • DNSSEC protects the integrity of your DNS records. Prevents someone from spoofing your MX records.
  • DANE pins your TLS certificate to DNS via TLSA records. The strongest protection against man-in-the-middle attacks on SMTP.

Why I built it myself

There were already tools that check individual protocols. But no single tool checked all 8 protocols together, with a clear score and alerts on changes. I wanted one place where I could see:

  • Are all protocols configured correctly?
  • Has anything changed in the DNS records since the last check?
  • What do the DMARC aggregate reports say? Does all mail pass authentication?

The technical choices

MailShield runs on my own infrastructure in the Netherlands. Built with Claude Code, deployed via CI/CD, hosted on the same stack I use for clients. No hyperscaler, no serverless. A VPS with nginx, a database with daily backups, and monitoring that wakes me up when something goes wrong.

That's deliberate: if I'm consulting on infrastructure but running my own products on Vercel, the story doesn't add up.

Want to learn more about email security for your domain? Check out mailshield.app or read about my mail deliverability services.

Read the full article on my personal blog →

Need help with this topic?

Through Bouwhuis IT I help businesses with exactly these kinds of challenges.

Contact Schedule a call