Email Security

SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI

Privacy-safe: we don't store your inputs. Press Enter to submit.

Best VPNs for Privacy & Streaming

Fast, audited, reliable. Pick one that fits your needs and fix leaks for good.

ZenGuard VPN ★★★★★

Editor's pick
Top choice
No-logs • independent audits
RAM-only servers • modern ciphers
Great for streaming & everyday privacy
Locations110+
Devices10
$9.99 /mo Save 72%
Get Deal Read Review

SwiftShield VPN ★★★★☆

Fastest
Speed
WireGuard by default • multi-hop
4K streaming & gaming friendly
Clean apps • strong Kill Switch
Locations95+
DevicesUnlimited
$8.99 /mo Save 66%
Get Deal Read Review

BudgetBee VPN ★★★★☆

Best value
Deal
Strong speeds at a great price
Streaming + P2P friendly
Apps for every major platform
Locations85+
Devices7
$6.99 /mo Save 68%
Get Deal Read Review

*Affiliate disclosure: we may earn a commission when you buy via our links-at no extra cost to you. We only recommend VPNs that pass our security checks.

Email Authentication & Transport Security - what this test checks

Misconfigured email records cause delivery problems, spoofing, and phishing risk. Our Email Security scan validates SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI, returning a clear PASS/FAIL with practical remediation tips.

What we validate

  • SPF - syntax, multiple records, and include loops; alignment vs envelope-from.
  • DKIM - selector discovery, public key type/length (recommend ≥ 2048-bit), and DNS reachability.
  • DMARC - policy (p=none|quarantine|reject), alignment (relaxed|strict), and rua/ruf reporting.
  • MTA-STS - policy mode (enforce|testing), HTTPS policy host, and valid TLS for inbound mail.
  • TLS-RPT - aggregate reporting endpoint so you can monitor TLS failures.
  • BIMI - record presence and SVG logo URL for brand indicators.

Quick fixes that work

  • Consolidate to a single SPF record; use sub-includes to avoid DNS-lookup limits (10 lookups).
  • Rotate DKIM keys ≥ 2048-bit and use per-service selectors (e.g., s=mail, s=marketing).
  • Start DMARC with p=none and reports; move to quarantine, then reject once sources are aligned.
  • Publish MTA-STS (mode=enforce) and add TLS-RPT so mis-delivery gets surfaced quickly.
  • Enable BIMI after DMARC p=quarantine or reject is in place for maximum trust signals.

After changes, re-run this scan and cross-check mail flow. For background reading see DMARC.org and RFC 8461 (MTA-STS).

Email Security - FAQ

What's the difference between SPF, DKIM and DMARC?
SPF authorizes sending IPs; DKIM signs messages; DMARC enforces policy/alignment and gives reports so you can stop spoofing.
How strict should my DMARC policy be?
Begin with p=none to collect data, then move to quarantine and finally reject once all legitimate sources align.
Do I need MTA-STS and TLS-RPT?
Yes. MTA-STS enforces TLS for inbound mail; TLS-RPT gives visibility when senders fail to negotiate secure transport.
When can I enable BIMI?
After DMARC is at p=quarantine or reject and deliverability is healthy. Some providers also require a verified mark certificate.
Why does SPF say "too many DNS lookups"?
SPF is limited to 10 DNS mechanisms. Consolidate vendors and use sub-includes to keep within limits.