← All help articles

Email security — SPF, DKIM, DMARC, BIMI, MTA-STS, DANE

Email is the most-impersonated channel in business. Our email-security module checks every layer of the modern email-authentication stack.

SPF

v=spf1 include:_spf.google.com ~all and similar TXT records list the IPs allowed to send mail on your behalf. We flag:

  • Missing record — anyone can spoof you.
  • +all or ?all — fail-open and equivalent to no record.
  • More than 10 DNS lookups — RFC limit, breaks SPF for any include past the limit.

DKIM

We probe 14 common selectors (default, google, mail, smtp, dkim, selector1/2, k1, email, mailjet, sendgrid, amazonses, mandrill, postmark) and report:

  • No DKIM signing detected — your mail is unauthenticated.
  • Key length < 2048 — phasing-out by Google/Microsoft.
  • Selector exposed but no public key — misconfiguration.

DMARC

We parse the _dmarc TXT record and report:

  • Missing — receivers cannot enforce SPF/DKIM results.
  • p=none — monitoring only, no enforcement. Promote to p=quarantine once you confirm legitimate mail passes.
  • p=quarantine / p=reject — enforcement on. Best practice.
  • No rua= or ruf= — you cannot see the report data.

BIMI

default._bimi.<domain> — your logo SVG and (optionally) VMC certificate. Inboxes (Gmail, Yahoo, Apple) display the logo next to your messages — strong anti-phishing signal.

MTA-STS

_mta-sts.<domain> policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Forces TLS on inbound mail.

DANE / TLSA

DNS records publishing the TLS certificate hash for receiving servers — defends against downgrade attacks.

ARC

Authentication-Results chain headers, validated for forwarded mail.

What to do

Almost every email finding has a one-line DNS fix. Our remediation copy includes the exact record to add. Most fixes propagate within an hour of saving.

Frequency

Daily. Email auth is cheap to check and breaks frequently as DNS providers change.