DNS Health Check

SPF (Sender Policy Framework) is a DNS TXT record listing which IP addresses are authorized to send mail for your domain. Without SPF, anyone on the internet can trivially forge mail "From: you@yourdomain.com" — a tactic called domain spoofing that drives most business-email-compromise (BEC) fraud. A properly configured SPF ending in -all (hard-fail) tells receiving servers to discard mail that does not come from your approved IPs.

DMARC sits on top of SPF and DKIM. The p= tag tells receivers what to do when a message fails both checks: none = monitor only, quarantine = junk folder, reject = discard outright. Best practice is to roll out at p=none for 2-4 weeks to gather aggregate reports (the rua address), confirm no legitimate flows fail, then move to quarantine, then to reject.

DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail headers so that any tampering is detectable. Most modern mail providers (Google Workspace, Microsoft 365, Postmark, SendGrid) walk you through DKIM key generation in their admin console — you copy a CNAME or TXT into your DNS and you're done. Your selectors are typically google._domainkey, selector1._domainkey, etc. — our scanner checks the most common ones automatically.

A higher score correlates with both better deliverability (your legitimate mail reaches inboxes) and lower attack surface (criminals find it harder to impersonate you). Domains scoring below 60 typically have at least one of: missing DMARC, missing DKIM, IP on an RBL, or no DNSSEC — each of which is exploitable. The score is intentionally weighted toward email security because that's where most production impact lives.