Domain Email Health Check
Run a comprehensive email authentication audit across all protocols. Get a weighted security score and actionable recommendations -- entirely from your browser.
What does this score mean?
The Domain Email Health Check runs parallel DNS lookups for every major email authentication protocol and produces a weighted composite score from 0 to 100. Each protocol contributes a fixed number of points based on its relative importance to email security.
A score of 90-100 means your domain has comprehensive protection across all protocols. 70-89 is good but has room for improvement. 50-69 indicates gaps that attackers could exploit. Below 50 signals significant risk and missing critical protections.
Scoring Methodology
| Protocol | Max Points | What earns full marks |
|---|---|---|
DMARC | 25 | Record present with p=reject. Quarantine scores 20, none scores 10. |
SPF | 20 | Valid record with -all or ~all mechanism. |
DKIM | 15 | Scored as neutral (7.5) since DKIM requires a selector that cannot be discovered from DNS alone. |
MTA-STS | 15 | DNS record present with v=STSv1. |
TLS-RPT | 10 | Valid record with v=TLSRPTv1. |
BIMI | 5 | Valid record with v=BIMI1. |
DANE | 5 | TLSA records found at _25._tcp. |
DNSSEC | 5 | Resolver returns Authenticated Data (AD) flag. |
Why these weights?
DMARC and SPF carry the most weight because they are the foundation of email authentication and directly prevent domain spoofing. MTA-STS and DKIM protect the transport layer and message integrity respectively. TLS-RPT, BIMI, DANE, and DNSSEC are important complementary protocols that strengthen your overall security posture but are less universally deployed.
For a deep dive into any individual protocol, use the dedicated checker tools linked from each protocol card in the results.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free