Skip to main content
NEW Advanced Threat Defense now includes AI-powered URL analysis Learn more →

Domain Security Evaluator

Check SPF, DMARC, BIMI, MTA-STS, and TLS-RPT records for any domain — free.

All 5 protocols checked simultaneously — no signup required

Checks SPF, DMARC, BIMI, MTA-STS, and TLS-RPT records simultaneously.

SPF issues?

AutoSPF automatically flattens your SPF record to stay under the 10-lookup limit. No manual IP management.

Fix with AutoSPF →

DMARC monitoring?

DMARC Report turns raw XML reports into actionable dashboards. Track authentication across all your domains.

Monitor with DMARC Report →

Understanding Email Authentication Protocols

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email for your domain. It works by publishing a DNS TXT record that lists approved IP addresses and hostnames. Receiving servers check this record to verify that incoming mail comes from an authorized source.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving mail servers what to do when neither authentication method passes — reject, quarantine, or allow the message. It also enables aggregate and forensic reporting so domain owners can monitor authentication results.

BIMI (Brand Indicators for Message Identification)

BIMI lets organizations display their brand logo next to authenticated emails in supporting email clients. It requires a valid DMARC policy (quarantine or reject) and optionally a Verified Mark Certificate (VMC) for logo display in Gmail and Apple Mail.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS tells sending mail servers that your domain requires TLS encryption for email delivery. It prevents downgrade attacks and man-in-the-middle interception by publishing a DNS record and a policy file that mandate encrypted connections.

TLS-RPT (TLS Reporting)

TLS-RPT enables receiving mail servers to report TLS connection failures back to you. When combined with MTA-STS, it provides visibility into delivery problems caused by certificate errors, expired certificates, or misconfigured encryption.

Why All 5 Protocols Matter

Anti-Spoofing

SPF + DMARC prevent unauthorized senders from impersonating your domain.

Encryption

MTA-STS + TLS-RPT ensure email is encrypted in transit and report failures.

Brand Trust

BIMI displays your logo in the inbox, increasing recipient confidence and open rates.

Frequently Asked Questions

What does the Domain Security Evaluator check?

It checks all 5 email authentication protocols in a single lookup: SPF (authorized senders), DMARC (policy enforcement), BIMI (brand logo), MTA-STS (TLS encryption), and TLS-RPT (encryption failure reporting). Each protocol gets its own detailed tab.

What is a good domain security score?

A perfect score means all 5 protocols are properly configured. Most domains score well on SPF and DMARC but miss MTA-STS and TLS-RPT. Even partial coverage is better than none — start with SPF and DMARC, then add the others.

Do I need all 5 protocols?

SPF and DMARC are essential — without them, anyone can spoof your domain. BIMI adds brand visibility. MTA-STS and TLS-RPT protect email in transit. For maximum security, implement all five.

How do I fix issues found by the evaluator?

Each protocol tab includes specific guidance on what to fix. For SPF issues, AutoSPF (autospf.com) can automatically flatten your record. For DMARC monitoring, DMARC Report (dmarcreport.com) provides dashboards and alerts. For phishing protection, Phish Protection blocks threats before they reach your inbox.

Protect your inbox from phishing attacks

Phish Protection blocks phishing, ransomware, and BEC attacks before they reach your employees. 60-day free trial, no credit card required.

Start Free Trial