What does the email security score mean?

The score (0–100) reflects how well your domain's email authentication is configured. SPF contributes 30 points, DKIM 30 points, DMARC 30 points, and MX presence 10 points. A score of 85+ is considered strong; 60–84 needs hardening; below 60 is high risk.

Why is my SPF failing even though I have a record?

Common causes include exceeding the 10 DNS lookup limit (too many include: mechanisms), having multiple SPF records (only one is valid), using a deprecated PTR mechanism, or missing the ~all / -all qualifier at the end of the record.

What is a DKIM selector and where do I find it?

A DKIM selector is a label that points to the public key your mail server uses to sign outgoing messages. Google Workspace uses 'google', Microsoft 365 uses 'selector1' and 'selector2', and other providers publish their selector name in their setup documentation.

What is the difference between DMARC quarantine and reject?

p=quarantine tells receiving servers to deliver failing messages to the spam folder. p=reject tells them to refuse delivery entirely. Start with p=none to observe traffic, move to quarantine once legitimate senders are aligned, then advance to reject for full enforcement.

Does DMARC stop phishing?

DMARC at p=reject prevents attackers from spoofing your exact domain in the From address. It does not stop lookalike domains, display-name spoofing, or compromised accounts. Combine DMARC enforcement with user training and multi-factor authentication for broader protection.

How often should I check SPF, DKIM, and DMARC?

Run a check monthly as a baseline, and immediately after any DNS change, new email provider onboarding, DKIM key rotation, or DMARC policy update. Add it to your release checklist for any mail-flow change.

Can I have multiple SPF records?

No. RFC 7208 specifies that a domain must have at most one SPF record. If multiple TXT records starting with 'v=spf1' exist, the result is a permanent error (permerror) and SPF fails. Merge all senders into a single record.

What is an MX record and why does it matter for email security?

An MX (Mail Exchanger) record tells other mail servers where to deliver email for your domain. Without MX records, your domain cannot receive email. The checker flags missing MX as a warning because it may indicate a misconfigured or send-only domain that still needs authentication records.

Free · No sign-up · Live DNS checks

Free Email Security Checker

Enter any domain to instantly validate its SPF, DKIM, and DMARC records. Get a 0–100 security score, plain-English explanations of every finding, and copy-ready DNS fixes — no account required.

How the security score is calculated

The 0–100 score reflects the presence and quality of your domain's email authentication records. Each protocol contributes a fixed maximum; partial credit is awarded for records that exist but have configuration issues.

SPF

30 pts

Authorises which servers may send for your domain

DKIM

30 pts

Cryptographic signature proving message integrity

DMARC

30 pts

Policy enforcement and spoofing protection

10 pts

Mail exchanger records confirming receive capability

Score bands: 85–100 = Strong · 60–84 = Needs hardening · 0–59 = High risk

Understanding SPF, DKIM, and DMARC

These three DNS-based protocols work together to authenticate email and prevent domain spoofing. Each one addresses a different layer of the problem — you need all three for full protection.

SPF — Sender Policy Framework

DNS TXT record

SPF tells receiving mail servers which IP addresses and hostnames are authorised to send email on behalf of your domain. When a message arrives, the receiving server checks whether the sending IP is listed in the SPF record.

Only one SPF record is allowed per domain — multiple records cause a permanent error.
SPF allows a maximum of 10 DNS lookups per evaluation. Exceeding this limit results in a permerror, causing SPF to fail for that message.
End your record with ~all (soft fail) during tuning, then -all (hard fail) for enforcement.
Use subdomains for high-volume or marketing senders to isolate risk.

Minimal SPF starter (Google Workspace)

v=spf1 include:_spf.google.com ~all

DKIM — DomainKeys Identified Mail

Cryptographic signature

DKIM adds a digital signature to outgoing messages. The sending server signs each email using a private key; the public key is published in DNS under a selector subdomain. Receiving servers verify the signature to confirm the message was not tampered with in transit.

The selector name (e.g. 'google', 'selector1') must match what your mail platform uses.
2048-bit keys are the current minimum recommendation; 1024-bit keys should be rotated.
Maintain a rollover selector so you can rotate keys without delivery interruption.
DKIM survives forwarding better than SPF — it is critical for DMARC alignment.

DMARC — Domain-based Message Authentication

Policy + reporting

DMARC builds on SPF and DKIM by specifying what to do when authentication fails. It also enables aggregate reporting so you can see who is sending email using your domain. DMARC alignment requires the From domain to match the SPF or DKIM authenticated domain.

p=none: monitor mode — messages that fail authentication are still delivered. Use this only as an initial observation stage.
p=quarantine: failing messages go to spam. Good intermediate enforcement stage.
p=reject: failing messages are refused. Full protection against domain spoofing.
Add rua= to receive aggregate reports. Without a reporting address, you have no visibility into who is sending email using your domain.

DMARC monitor-mode starter

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Common failure patterns and fixes

Most email authentication failures fall into a small set of repeating patterns. Use this reference to diagnose and resolve issues quickly.

Failure patternRoot causeFix

SPF exceeds 10 DNS lookup limitToo many include: mechanisms resolve into more DNS lookups than the RFC 7208 limit of 10 allowsFlatten SPF by replacing nested include: mechanisms with direct ip4:/ip6: entries, or use an SPF macro or flattening service to stay within the lookup limit

DKIM selector not foundThe selector name used by your mail platform does not match what was testedCheck your mail platform's DKIM settings for the active selector name, then re-run with that selector in the custom field above

DMARC stuck at p=noneTeams deploy DMARC in monitor mode and never advance enforcementReview aggregate reports for 2–4 weeks, validate all legitimate senders are aligned, then move to p=quarantine

Multiple SPF recordsTwo or more TXT records starting with v=spf1 exist on the domainDelete all but one SPF record. Merge all senders into a single record using include: mechanisms

No MX recordDomain is send-only or MX records were accidentally removedAdd MX records if the domain should receive email. For send-only domains, add a null MX: '0 .'

DKIM key strength weak (1024-bit)Old key generated before 2048-bit became the standardGenerate a new 2048-bit key pair in your mail platform, publish the new public key, then retire the old selector

When to re-run this check

Email authentication can break silently. Any change to DNS, mail routing, or sending providers should trigger a re-check. Use this as your trigger list.

After any DNS record change (SPF, DKIM, DMARC, or MX)

When adding or removing an email service provider

After DKIM key rotation

When changing DMARC policy (none → quarantine → reject)

Monthly as a routine operational check

After migrating to a new mail platform or domain registrar

Frequently asked questions

Go deeper on email security

Validation guide

Email Security Tester Guide

Step-by-step workflow for validating SPF, DKIM, and DMARC and turning results into enforceable controls.

Read guide

Implementation guide

Business Email Security Guide

Operational framework for reducing phishing, BEC, and misconfiguration risk in business email environments.

Read guide

BEC guide

Spot the Fake: BEC Verification

Finance-grade verification controls for stopping payment fraud and impersonation requests.

Read guide

Need broader security guidance?

Use the free Valydex assessment to prioritise email security alongside identity, endpoint, and recovery controls — tailored to your organisation's size and risk profile.

How the security score is calculated

SPF

30 pts

Authorises which servers may send for your domain

DKIM

30 pts

Cryptographic signature proving message integrity

DMARC

30 pts

Policy enforcement and spoofing protection

10 pts

Mail exchanger records confirming receive capability

Score bands: 85–100 = Strong · 60–84 = Needs hardening · 0–59 = High risk

Understanding SPF, DKIM, and DMARC

These three DNS-based protocols work together to authenticate email and prevent domain spoofing. Each one addresses a different layer of the problem — you need all three for full protection.

SPF — Sender Policy Framework

DNS TXT record

Only one SPF record is allowed per domain — multiple records cause a permanent error.
SPF allows a maximum of 10 DNS lookups per evaluation. Exceeding this limit results in a permerror, causing SPF to fail for that message.
End your record with ~all (soft fail) during tuning, then -all (hard fail) for enforcement.
Use subdomains for high-volume or marketing senders to isolate risk.

Minimal SPF starter (Google Workspace)

v=spf1 include:_spf.google.com ~all

DKIM — DomainKeys Identified Mail

Cryptographic signature

The selector name (e.g. 'google', 'selector1') must match what your mail platform uses.
2048-bit keys are the current minimum recommendation; 1024-bit keys should be rotated.
Maintain a rollover selector so you can rotate keys without delivery interruption.
DKIM survives forwarding better than SPF — it is critical for DMARC alignment.

DMARC — Domain-based Message Authentication

Policy + reporting

p=none: monitor mode — messages that fail authentication are still delivered. Use this only as an initial observation stage.
p=quarantine: failing messages go to spam. Good intermediate enforcement stage.
p=reject: failing messages are refused. Full protection against domain spoofing.
Add rua= to receive aggregate reports. Without a reporting address, you have no visibility into who is sending email using your domain.

DMARC monitor-mode starter

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Common failure patterns and fixes

Most email authentication failures fall into a small set of repeating patterns. Use this reference to diagnose and resolve issues quickly.

Failure patternRoot causeFix

DMARC stuck at p=noneTeams deploy DMARC in monitor mode and never advance enforcementReview aggregate reports for 2–4 weeks, validate all legitimate senders are aligned, then move to p=quarantine

Multiple SPF recordsTwo or more TXT records starting with v=spf1 exist on the domainDelete all but one SPF record. Merge all senders into a single record using include: mechanisms

No MX recordDomain is send-only or MX records were accidentally removedAdd MX records if the domain should receive email. For send-only domains, add a null MX: '0 .'

DKIM key strength weak (1024-bit)Old key generated before 2048-bit became the standardGenerate a new 2048-bit key pair in your mail platform, publish the new public key, then retire the old selector

When to re-run this check

Email authentication can break silently. Any change to DNS, mail routing, or sending providers should trigger a re-check. Use this as your trigger list.

After any DNS record change (SPF, DKIM, DMARC, or MX)

When adding or removing an email service provider

After DKIM key rotation

When changing DMARC policy (none → quarantine → reject)

Monthly as a routine operational check

After migrating to a new mail platform or domain registrar

Frequently asked questions