eMate Cloud Platform
by Huifi S.A.
The problem
Domains stuck at p=none for months
Most organizations have no visibility into which sources send email on behalf of their domain. Without data, no enforcement. Without enforcement, the domain stays exposed to spoofing, phishing and deliverability abuse indefinitely.
94%
of domains never reach p=reject
∞
days at p=none without visibility tools
The solution
Data → Decision → Enforcement
eMate processes DMARC reports in real time, enriches every source with GeoIP / ASN / reputation, and walks the administrator from p=none to p=reject safely and with full traceability.
- Ingestion pipeline with parsers validated against Google, Microsoft and Yahoo
- Enrichment for every source IP: country, ASN, reputation
- Policy simulator before applying any change
- Smart alerts on unknown or suspicious sources
Core capabilities
DMARC RUA Ingestion
Own SMTP receiver + S3/SES support. SAX parsers validated against Google, Microsoft and Yahoo reports. Dead Letter Queue for failed messages.
SPF Engine
Full includes tree, exact DNS lookup count, IP range diff between reports, early detection of broken configurations.
DKIM Engine
Automatic discovery of active selectors, cryptographic key age monitoring, pending rotation alerts.
DMARC Processor
SPF/DKIM alignment calculation, policy impact simulator, journey tracking p=none → p=quarantine → p=reject with full history.
MTA-STS + TLS-RPT
MTA-STS policy monitoring, per-domain TLS report analysis, in-transit downgrade attempt detection.
Enrichment Pipeline
GeoIP + ASN + PTR for every source IP. Library of known senders (ESP, CDN, SaaS). Real-time per-IP reputation score.
Real-time Alerting
Configurable rules per threshold or policy. Tier-gated channels: Email + generic webhook (Basic), Slack + Teams (Standard), PagerDuty (Pro), Splunk + Microsoft Sentinel (Advanced).
AI Threat Narratives
Executive summaries generated by Claude (Anthropic API) on authentication state + narrative analysis of spoofing events. C-level ready.
ClickHouse Analytics
Historical message volume, alignment trends, drill-down by source / IP / country / DKIM selector. Partitioned by tenant and month.
Blacklist Monitoring
Continuous check against 39 RBLs in 3 tiers (Spamhaus, Barracuda, SORBS, SURBL, MultiRBL, etc.). Structured delisting steps per provider.
Phish-eMate
Dedicated SMTP endpoint for users to report received phishing (
phish+{token}@). Neutralization pipeline + automatic awareness campaign.Lookalike Detection
Continuous monitoring of typosquatting / homograph domains over your brand (emate.cloud → ematecloud.com, emate-cloud.io, em4te.cloud, etc.).
Threat Intel Enrichment
7 integrated sources (AbuseIPDB, VirusTotal, GreyNoise, OTX, URLhaus, MaxMind GeoLite2, MISP). Real-time IP reputation score with configurable TTL.
Dashboard & integrated tools
— DNS Setup Wizard
Step-by-step guided onboarding for new domains. Automatic verification of published DNS records.
— DMARC Simulator
Preview the impact of a policy change before applying it. Calculates how many messages would pass or fail with the new configuration.
— SPF Flattener
Automatic SPF chain flattening to stay under the 10 DNS lookup limit.
— DNS Propagation Tracker
Real-time badge: "Propagating · Xs" → "Live in DNS" / "Slow". Automatic polling after a record change.
— Sending Sources
Full map of IPs and sources classified as: Authorized · Unknown · Suspicious. Direct action from the UI.
— Header Analyzer
Analysis of real email headers with inline SPF/DKIM/DMARC diagnosis. Paste-and-analyze in seconds.
— Spam Score Tester
Deliverability test before sending. SpamAssassin score + actionable recommendations.
— Inbox Placement
Placement monitoring in Gmail and Outlook. Detects whether mail lands in primary inbox or spam folder.
— CISO Report (MSSP-branded PDF)
Executive PDF report with KPIs, trends, compliance frameworks (ISO/NIST). White-label MSSP branding (logo + derived primary color) + i18n EN/ES/PT-BR.
— Executive Threat Heatmap
Per-country spoofing heatmap in the
/executive dashboard. TopoJSON world-atlas + rotating palette + drill-down by source.— Awareness Training Campaigns
Schedulable phishing simulations with industry-specific templates. Click-through, report-rate metrics and automatic training enrollment.
— API Playground
Built-in OpenAPI explorer in the dashboard. Test endpoints with your own JWT token in real time.
— Audit Log (tamper-evident)
Transactional outbox → Kafka
audit.events → PostgreSQL append-only + S3 Object Lock (WORM). No service writes directly to the log.— MSSP Portal White-Label
Multi-client view for resellers. Custom logo + primary color, hide-powered-by, granular RBAC (mssp_admin/analyst), per-client billing, opportunity pipeline.
— Hosted DNS
DMARC/MTA-STS/TLS-RPT/BIMI records served from our infrastructure for clients with limited DNS providers. Auto KSK rotation + DNSSEC.
— Email Flow Monitor
super_admin panel with 24h stats for outbound (api+alert-engine) and inbound (RUA records). Status/service filters, 30s auto-refresh, pagination.
Data pipeline architecture
Ingestion
📨 SMTP Receiver:2525
→
email.rawKafka · Avro
→
normalizer-workerSAX · MinIO/S3
→
dmarc.rua.rawKafka · Avro
Enrichment
enrichment-workerGeoIP · ASN · PTR
→
dmarc.rua.enrichedKafka · Avro
Processing
clickhouse-writer
dmarc-worker
spf-worker
dkim-worker
mta-sts-worker
tls-rpt-processor
rbl-checker
bimi-checker
lookalike-monitor
dmarc-intel-worker
alert-engine
Notifications
report-mailerSES SMTP · CISO digests
audit-exporterS3 WORM
contact-verifieremail verification
Fallback
⚠ dmarc.dlq — Dead Letter Queue · no message is silently discarded
Each worker is an independent Python container with its own Kafka consumer group. If one fails, the others keep running. Scale per engine based on real load.
Tech stack
| Layer | Technology |
|---|---|
| API Backend | Python 3.12 + FastAPI + asyncpg — async end-to-end |
| Dashboard | React 18 + TypeScript + Vite + Tailwind CSS — API-first SPA |
| Streaming | Apache Kafka (3 brokers) + Confluent Schema Registry (Avro BACKWARD_TRANSITIVE) |
| Analytics | ClickHouse 24.x — append-only, partitioned by tenant + month |
| Relational DB | PostgreSQL 16 — RLS on all tables, SET LOCAL app.tenant_id per query |
| Cache | Redis 7 — sliding-window rate limiting + MFA challenge tokens |
| Object Storage | MinIO (dev) / AWS S3 (prod) — same binary, STORAGE_ENDPOINT via env var |
| Observability | Prometheus + Grafana + CloudWatch — metrics, dashboards, active alerting |
| Auth Security | JWT HS256 (15 min TTL) + mandatory MFA + API Keys (X-API-Key header) |
| Workers | 25+ independent Python microservices — BaseKafkaWorker + WorkerSupervisor (auto-restart on dead kafka loop) + DLQ + Prometheus :8080 + Kafka-aware healthcheck (/health/live with 60s grace) + PgConnectionManager (reconnect on InterfaceError) |
| Transactional Email | AWS SES (DKIM 2048-bit + SNS bounces/complaints) + SendGrid fallback (Event Webhook ECDSA-P256) |
| Reverse Proxy | Traefik v3.3 (file provider) — TLS termination, host-based routing, ACME challenge auto-renewal |
| CDN | CloudFront (static website) + ACM wildcard cert us-east-1 — Origin Access Control signed to S3 |
| Production Infra | AWS EC2 · EBS 150 GB encrypted (KMS) · daily S3 backups · Lambda EBS snapshots + CloudTrail + AWS Health |
Multi-tenancy & security
3-tier tenant model
PlatformTecnosophie (super_admin · platform_support)
↓
MSSPResellers (mssp_admin · mssp_analyst)
↓
ClientEnd customers (tenant_admin · analyst · auditor · api)
RBAC hierarchy
super_admin > platform_support > mssp_admin > mssp_analyst>
tenant_admin > analyst = auditor > api
Security controls ISO 27001 Phase 2 ✓
- FORCE RLS 67/67 tables — every tenant data table has
FORCE ROW LEVEL SECURITY.SET LOCAL app.tenant_id+ smokesmoke_rls_isolation.sh18×4 scenarios = 18/18 PASS. CI gatelint-rls-coverageblocks new tables without a declared policy. - Transactional audit outbox — the
write_audithelper writes toaudit_outboxin the SAME transaction as the change. Exporter decoupled to Kafkaaudit.events→ S3 Object Lock (WORM). - Encrypted DNS configs — DNS provider credentials (Route53/GCP/RFC2136/Hostinger) encrypted at-rest with
dns_config_key(Fernet AES-128). Rotation via runbook. - Credential rotation runbooks — reproducible runbooks for JWT + DB password + MaxMind + IAM keys (~90d). Daily
monitor-credentials.sh+ Slack alert -30d. - Mandatory MFA — cannot be disabled by any role or tenant. TOTP tokens in Redis with TTL.
- TLS 1.2+ end-to-end. Kafka SASL/SCRAM between brokers and clients. PTR record on AWS SES SMTP receiver for Exchange Online deliverability.
- Rate limiting — sliding window in Redis per tenant and external domain. SPF: 1,000 lookups/day. Threat intel: 7 sources with configurable TTL.
- CI Security — Semgrep SAST + Trivy SCA + Aikido custom rules on every PR. Dependabot active. Pentest contracted due 2026-07-31.
- DR Plan — Modality A (snapshot-only, RTO 20-25 min, ~$3/mo) live. Modalities B (warm standby) + C (multi-region) ready when contractual SLA appears.
Deployment options
On-Premise / Docker
Docker Compose or Kubernetes (Helm). Local MinIO + Kafka. Full data control on your own infrastructure.
Cloud Managed (AWS)
MSK + SES + S3 + RDS PostgreSQL + ElastiCache. Same Docker binary, configuration via environment variables.
Production live
EC2 · 45+ healthy containers · EBS 150 GB encrypted (KMS) · daily S3 backups · Lambda EBS snapshots + CloudTrail + AWS Health · AWS SES (Easy DKIM 2048-bit) integrated.
Integrations
SIEM
- Splunk
- Microsoft Sentinel
- Generic webhook
Alerting
- Slack
- Microsoft Teams
- PagerDuty
- Email AWS SES (Easy DKIM 2048)
- Email SendGrid (Event Webhook ECDSA-P256)
- Generic webhook
DNS Providers
- AWS Route 53
- Google Cloud DNS
- RFC 2136 (nsupdate)
- Hostinger (manual)
- Cloudflare (manual)
Threat Intel
- AbuseIPDB
- VirusTotal
- GreyNoise
- OTX (AlienVault)
- URLhaus
- MaxMind GeoLite2 (ASN+City)
- MISP (planned)
Blacklist Sources
- Spamhaus ZEN/SBL/XBL
- Barracuda
- SORBS
- SURBL
- MultiRBL
- +34 more (39 total across 3 tiers)
Identity
- OIDC / SAML (SSO)
- MFA TOTP
- API Keys (X-API-Key)
AI / ML
- Claude (Anthropic API)
- AI executive summaries
- AI policy advisor
Billing
- Stripe (ready)
- SMB / Enterprise plans
- Event webhooks