Audit all email authentication in one shot — SPF + DKIM + DMARC + MTA-STS + TLS-RPT + PTR + DNSSEC
// published 2026-04-17
Email authentication has at least seven moving parts — SPF, DKIM, DMARC, MX, PTR, MTA-STS, TLS-RPT, DNSSEC — and checking them one at a time is how mistakes slip through. The Email Authentication Scanner runs every one in parallel and gives you a single deliverability score.
What the scanner checks
- SPF — record syntax,
-all/~all/+all, DNS-lookup count against the 10-lookup ceiling. - DKIM — probes 50+ common ESP selectors in parallel, surfaces which ones are live plus key size.
- DMARC — policy (
p=), alignment (aspf/adkim), reporting addresses (rua/ruf), percentage (pct=). - MX — records, priorities, resolved IPs, detected provider (Google Workspace, Microsoft 365, Zoho, Fastmail).
- PTR — reverse DNS of the primary MX. Missing or mismatched PTR is the #1 cause of legitimate mail being spammed.
- MTA-STS — TXT + policy file at
_mta-sts.yourdomain.com. Enforces TLS on inbound mail. - TLS-RPT — where failed TLS delivery reports should go. Pair with MTA-STS.
- DNSSEC — whether the zone is signed. Complementary: protects the lookup that leads to the mail server.
Reading the score
The score is weighted. SPF + DKIM + DMARC are the big three and dominate. MTA-STS / TLS-RPT / DNSSEC are bonus points — present on fewer than 5% of domains, so mostly they tell you whether you're ahead of the curve.
- 0-40: core auth is missing or badly broken. Your mail is probably going to spam.
- 40-70: basics are in place but have gaps. Common: SPF present but
p=noneDMARC, or DMARC with norua. - 70-90: correctly configured email auth. You're in the top 30% of domains.
- 90-100: full modern setup. Strict DMARC, DKIM signing, MTA-STS enforced.
Save and share scan reports
Every scan can be saved with one click. You get a shareable URL /r/:token that's valid for 30 days — send it to a client, a manager, or a forum thread as proof of a configuration state. The snapshot is frozen; it won't shift under you if the domain changes tomorrow.
Save and monitor
Save the domain for daily monitoring and we re-run the full scanner every morning at 6am UTC. If SPF suddenly stops resolving, or DMARC drops from reject to none, you get an alert the same day — email, Slack, Discord, your choice.
Scan your domain now: /tools/email-auth-scanner.