Merula
for small businesses

Your email should arrive. Your domain should be harder to impersonate.

Two things quietly went wrong for small businesses lately: legitimate email started landing in spam folders, and criminals kept sending invoices that look like yours. Both come down to the same handful of DNS records — records most businesses set once, years ago, and haven't looked at since.

Merula watches those records continuously, explains what they mean in plain language, and tells you — calmly — when something needs attention.

Merula is in development and launches after summer 2026.

The big mailbox providers changed the rules

Gmail & Yahoo 2024 · Microsoft 2025

The companies that receive most of the world's email now expect senders to authenticate. The strictest SPF, DKIM and DMARC rules are written for bulk senders, but weak or missing authentication can send any domain's mail to spam — or see it refused outright. This isn't a future risk; the requirements are already in force:

February 2024 — Gmail and Yahoo
Bulk senders must authenticate with SPF, DKIM and a DMARC policy. Unauthenticated mail is increasingly filtered or rejected.
May 2025 — Microsoft Outlook and Hotmail
Domains sending 5,000 or more messages a day must pass SPF, DKIM and DMARC; since 5 May 2025 mail that fails those checks is rejected outright, not just filtered.
And for everyone else
The published thresholds describe bulk senders, but authentication affects senders of every size — a small sender with broken authentication meets the same spam folder. A quote that lands in spam is a quote that doesn't get answered.

Three records decide whether receivers can trust your mail

SPF · DKIM · DMARC — in plain language

None of this requires new software — it's a few DNS records on the domain you already own:

SPF
SPF

A public list of who is allowed to send email for your domain — your mail provider, your invoicing tool, your newsletter service. Receivers check the list.

DKIM
DKIM

A signature on each message proving it wasn't altered and really came from your domain. Your providers sign; receivers verify.

DMARC
DMARC

Your published instruction for what receivers should do when a message fails the first two — deliver it anyway, quarantine it, or reject it. It's also how you ask receivers to report what they're seeing.

Merula checks all three continuously, shows you what's weak or missing, and walks you through fixing it with step-by-step guides — included on every plan, written for people who don't do DNS for a living.

Make your domain harder to impersonate

spoofing · brand protection

The same records that get your mail delivered are what makes direct domain spoofing harder. A domain without an enforced DMARC policy is a domain that is easier to impersonate — for fake invoices to your customers, password resets to your staff, quotes to your suppliers.

Getting from "no policy" to "reject everything that isn't really us" is a staged journey, not a switch — move too fast and you block your own newsletter. Merula shows where your domain stands on that road and guides each step, with the reports to confirm it's safe to take the next one.

When you want to see exactly who is sending in your name — every service, every outsider, with numbers — DMARC Analytics collects and explains the reports receivers send back. It is included with the Pro plan, with no volume limits: the reports are unlimited, however much mail flows.

And once those reports are flowing, Merula keeps watching them too: if a domain that has been reporting reliably goes quiet — usually a sign the configuration slipped — Merula surfaces that silence, rather than leaving you to discover the gap later.

Recognised guidance points the same way. The UK's National Cyber Security Centre recommends SPF, DKIM and DMARC to make a domain harder to spoof, and moving to an enforced policy in stages rather than all at once — the same road Merula walks you down.

Further reading: NCSC: Email security and anti-spoofing ↗

Set it up once. Hear about it when it matters.

free plan · calm alerts

Add your domain, and Merula runs the full set of checks — email, certificates, DNS, the web basics — on a schedule, forever. When something genuinely needs you, you get one clear message: what changed, why it matters, what to do.

Urgent problems are sent immediately when detected; everything routine waits for a single daily or weekly digest, so your inbox stays calm. Prefer Slack or Microsoft Teams? Alerts can arrive there instead. And when a change was expected — you switched mail provider, say — tell Merula once and it stops flagging it, until something changes again.

The Free plan covers one domain with every check included. No card, no trial clock — start there, and grow when the business does.