Scan Domain
@

The domain in your RFC5322.From address. For subdomains like alerts.example.com, enter the full subdomain.

Format: <selector>._domainkey.<domain> — blank tries common selectors.

What do these checks mean?
SPF — Defines which mail servers may send for your domain. Best practice: one record, ending -all (or ~all during rollout). Stay within 10 DNS-lookup limit.
DKIM — Cryptographically signs outbound mail. The public key is published in DNS; receivers verify the signature. This tool checks record presence and structure (not live message signing).
DMARC — Policy + reporting layer over SPF/DKIM alignment. p=none = monitor; quarantine/reject = enforce. rua= enables aggregate reports.
MX — Identifies inbound mail exchangers for the domain. May be intentionally absent for send-only domains.
MTA-STS — Enforces TLS for inbound mail delivery to your MX. Requires a TXT record at _mta-sts and an HTTPS policy file.
TLS-RPT — Enables reporting of SMTP TLS delivery failures via _smtp._tls. Useful for diagnosing STARTTLS issues.
BIMI — Displays your brand logo in supporting mail clients. Requires DMARC enforcement plus a compliant HTTPS SVG and often a VMC.
Microsoft 365 email security best practices
Authentication Layer
v=spf1 include:spf.protection.outlook.com -all
SPF — single record, -all qualifier
DMARC (target)
v=DMARC1; p=reject;
rua=mailto:[email protected];
adkim=s; aspf=s; pct=100
Start with p=none, progress to reject
Transport Security
version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800
MTA-STS policy file content
DKIM: enable in M365 admin, use 2048-bit keys with selector rotation. TLS-RPT: add v=TLSRPTv1; rua=mailto:[email protected] at _smtp._tls.
How do I add these records to DNS?
Important: Many DNS panels automatically append your domain to the host/name field. Enter only the label (e.g. _mta-sts, not _mta-sts.example.com). One SPF record only — multiple TXT v=spf1 records break SPF.
Control Type Name / Host Value (example) TTL Notes
MTA-STS also requires an HTTPS policy file hosted at: https://mta-sts.example.com/.well-known/mta-sts.txt. Requires a valid public TLS cert and no authentication.

Summary

🔍
Enter a domain above and click Run to scan its email security records.

Findings Detailed per-control analysis

📋
No findings yet — run a check to see detailed results per control.
Raw DNS / HTTP Results Expand

DNS queries use Cloudflare DoH from your browser. MTA-STS/BIMI URLs are fetched via HTTPS.


          

Note: This tool reads publicly available DNS records only. DKIM verification requires validating a signed message; this report checks record presence and structure only.

Disclaimer: Results are for informational purposes only and do not guarantee protection against phishing, spoofing, or email-based attacks.

Need help with Microsoft 365 email security, compliance, or migrations? Visit mutega.se

© MUTEGA AB 2016 – All rights reserved.