Email Security Report

Check SPF, DKIM, DMARC, BIMI, MX, MTA-STS and TLS-RPT — and generate a readable report.

Domain

Use the domain you send mail from (RFC5322.From). If you send from a subdomain (e.g. alerts.example.com), enter that exact subdomain.

DKIM selector (optional)

DKIM DNS name format: <selector>._domainkey.<domain>. If blank, we try common selectors.

What do these checks mean?

SPF: Allowed sending infrastructure. Best practice: one record, end with -all (or ~all during rollout), stay within the 10 DNS-lookup limit.

DKIM: Cryptographic signing of outbound mail. DNS publishes the public key; receivers verify signatures. This tool checks record presence/shape (not real message signing).

DMARC: Policy + reporting for SPF/DKIM alignment. p=none = monitor; quarantine/reject = enforce. rua= gives aggregate reports.

MX: Where inbound mail is delivered for the domain.

MTA-STS: Helps enforce TLS when other MTAs deliver to you (inbound). Requires TXT at _mta-sts and an HTTPS policy file.

TLS-RPT: Where TLS delivery failure reports are sent (STARTTLS/TLS troubleshooting).

BIMI: Brand logo display in some clients. Usually requires DMARC enforcement plus a compliant HTTPS SVG (and sometimes a VMC).

Microsoft 365 Email Security Best Practices

Layered Microsoft 365 Protection Model

Authentication Layer — SPF, DKIM, DMARC
Transport Security Layer — MTA-STS, TLS-RPT
Brand Trust Layer — BIMI

Authentication Best Practices

SPF
Use a single record including Microsoft 365:
```
v=spf1 include:spf.protection.outlook.com -all
```
DKIM
Enable signing in Microsoft 365. Microsoft recommends:
- Use 2048-bit keys
- Enable selector rotation
DMARC
Microsoft long-term recommendation:
```
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s; pct=100
```
Start with p=none or quarantine before moving to reject.

Transport Security (Strongly Recommended)

MTA-STS
Protects inbound email TLS.

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

TLS-RPT
Enables TLS delivery reporting.

v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com

Brand & Reputation (Optional)

BIMI enables logo display in supported mailbox providers.
Requires DMARC enforcement.
Often requires a Verified Mark Certificate (VMC).

Security Benefits

Prevents spoofing and phishing
Improves email deliverability
Improves Microsoft Defender trust scoring
Strengthens domain reputation

How do I add these records to DNS?

Quick rules (important)

Name/Host is usually the left-hand label (e.g. _mta-sts, _smtp._tls, default._bimi). Many DNS UIs automatically append .example.com.
Value must be copied exactly (no smart quotes). Some providers require removing surrounding quotes; this tool shows values as plain text.
TTL: If unsure, use 30–60 minutes during setup, then increase later if you want.
One SPF record only. Multiple SPF TXT records at the same name will break SPF.

Control	Type	Name / Host	Value (example / template)	TTL	Notes

MTA-STS also needs a HTTPS policy file

DNS alone is not enough. You must host this file at: https://mta-sts.example.com/.well-known/mta-sts.txt

Requirements: valid public TLS certificate, reachable without auth, correct hostname mta-sts.<domain>.

version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800

Replace mx: lines to match your real MX hostnames (often your mail gateway). Use mode: testing first if you want a safer rollout.

Summary

Includes a strictness score based on common best practices.

Findings

Raw DNS / HTTP results Expand

DNS is queried using DoH (Cloudflare) from your browser. MTA-STS/BIMI URLs are fetched via HTTPS.