Email Security Analyzer

The analyzer runs five parallel checks — Email Authentication (SPF, DKIM, DMARC), Transport Security (MTA-STS, TLS-RPT), Mail Infrastructure (MX records, provider, PTR), Brand Protection (BIMI) — then performs a lightweight PTR check for the primary MX host. Results are scored using a weighted model and combined into an overall A+–F grade with consolidated findings and prioritised recommendations.

SPF (Sender Policy Framework) is a DNS TXT record listing which mail servers are authorised to send email for your domain. Without SPF, any server can send email claiming to be from your domain. A strong record ends with -all to reject unauthorised senders. SPF must be combined with DMARC to actually enforce protection — SPF alone does not prevent spoofing of the visible From address.

DMARC tells receiving mail servers what to do with email that fails SPF and DKIM checks. Without DMARC at p=reject or p=quarantine, attackers can send phishing email appearing to come from your domain and it will reach recipients' inboxes. p=reject is the only configuration that fully prevents domain spoofing. Even with SPF and DKIM in place, a missing or p=none DMARC record provides zero enforcement.

MTA-STS (RFC 8461) allows a domain to declare that inbound SMTP delivery must use verified TLS. Without MTA-STS, the SMTP connection between sending and receiving mail servers uses opportunistic TLS — which can be downgraded by an attacker. Deploy MTA-STS in testing mode first alongside TLS-RPT, review failure reports for 2–4 weeks, then switch to enforce mode once all delivery is confirmed working.

TLS-RPT (RFC 8460) is a DNS TXT record at _smtp._tls.yourdomain.com that instructs sending servers to submit daily JSON reports about SMTP TLS failures. It is especially important when deploying MTA-STS — without TLS-RPT you have no visibility into certificate errors or delivery failures during the testing phase. Always enable TLS-RPT before or alongside MTA-STS.

No. BIMI is an optional brand enhancement that displays a logo next to emails in supporting inboxes. Its absence does not reduce your email security score and has no impact on email delivery, authentication, or anti-spoofing protection. It is shown separately under Brand Protection as an informational section. A domain without BIMI can still achieve a perfect email security score.

DKIM keys are published at selector-specific subdomains like selector1._domainkey.yourdomain.com. There is no DNS standard for discovering all selectors. The analyzer probes common selector names (google, selector1, selector2, default, dkim, k1, mail, and others). If your provider uses a custom selector, DKIM appears not found even if signing is active. Check your email provider settings and verify using the SPF / DKIM / DMARC Validator with the specific selector.

A PTR record maps an IP address back to a hostname. For mail servers, forward-confirmed reverse DNS (PTR record that matches the forward DNS of the sending IP) is a signal of legitimate infrastructure. Some strict receiving servers check PTR records as a spam signal. For domains using Google Workspace or Microsoft 365, PTR records are managed by the provider and are typically correct automatically.

The overall score is a weighted composite: Email Authentication (50% — SPF, DKIM, DMARC deductions from a base of 100), MTA-STS (20%), Mail Infrastructure/MX (20%), and TLS-RPT (10%). BIMI is shown as a Brand Protection score but contributes 0% to the composite — it is optional and its absence does not penalise the domain. Grades: A+ (95–100), A (85–94), B (70–84), C (55–69), D (40–54), F (below 40).

Address Critical findings first: no DMARC record and SPF +all are the highest-risk configurations. Then fix High findings: add or harden DMARC to p=reject, add SPF if missing, fix SPF lookup overflows. Medium findings (MTA-STS, TLS-RPT, DMARC reporting) improve defence in depth. The Recommendations section orders all actions by impact-to-effort ratio so you always know what to tackle next.

Yes. Use the shareable URL (?domain=clientdomain.com) to create a direct link to any client's analysis. The Copy Executive Summary button produces a plain-text snapshot with score, grade, top findings, and recommendations suitable for emailing or pasting into a ticket. The Copy Full Report button exports all findings, recommendations, and deep links. Each recommendation includes impact level, difficulty, and estimated effort for scoping remediation.

Scan any time you change DNS records, switch email providers, update DMARC policies, or migrate infrastructure. At minimum, scan monthly for production domains. MSPs typically scan client domains at onboarding, after migrations, and on a quarterly review cycle to catch configuration drift.