MailCheck DMARC Analyzer Blog Help

Help & User Guide

Step-by-step guides for xteam's free email security tools.

MailCheck

MailCheck runs up to 13 simultaneous checks on a domain's email security configuration — instantly, with no account required.

How to run a check

  1. Go to /tools/mailcheck
  2. Type your domain name (e.g. yourbusiness.co.nz) — no http:// or www needed
  3. Optionally add a custom DKIM selector if you know it (e.g. google, selector1)
  4. Choose which checks to run using the check group panels, then click Run checks
  5. Results appear as each check completes — no need to wait for all of them

What each check covers

Check What it looks for Why it matters
MX Records Mail server hostnames and their IPs Without MX records, no one can send email to your domain
SPF v=spf1 TXT record — which servers are allowed to send as you Prevents unauthorised servers from sending email pretending to be your domain
SPF Chain Follows all include: directives to check lookup count More than 10 DNS lookups causes SPF permerror, breaking authentication
DMARC v=DMARC1 policy record — what to do with failing mail Tells receiving servers to quarantine or reject mail that fails SPF and DKIM
DKIM Public key TXT records for common and detected selectors Cryptographic signature proving email was not tampered with in transit
BIMI Brand logo record for Gmail/Apple Mail inbox display Shows your verified logo in email clients — requires p=quarantine or reject DMARC
MTA-STS Policy file mandating TLS on inbound connections Prevents downgrade attacks — forces senders to use TLS to your mail server
DANE/TLSA TLS certificate fingerprint pinned in DNS Advanced TLS validation — pins your mail server certificate to DNS
Blacklists IP checked against 15+ RBL spam databases Being listed blocks your outbound mail at many receiving servers
SMTP Connects to MX hosts and checks TLS version/cert Verifies your mail server accepts connections and has a valid certificate
Open Relay Attempts to relay mail through your server Open relays are immediately exploited by spammers — critical to fix
WHOIS Domain registration and expiry information Expired domains are seized — check your renewal dates
IP Reputation Checks MX IPs against abuse databases Shared hosting IPs often carry bad reputation from previous tenants

Score and grades

Each check contributes to an overall security score out of 100:

A
90–100 points
B
75–89 points
C
55–74 points
D
35–54 points
F
0–34 points
Export to PDF

After running a full check, use the Export PDF button to download a printable report — useful for sharing with your IT team or provider.

DMARC Report Analyzer

Mail providers such as Gmail, Outlook, and Yahoo send you daily DMARC aggregate reports showing who sent email on behalf of your domain and whether it passed authentication. This tool parses those reports and turns the raw XML into an actionable summary.

How to analyze a report

  1. Go to /tools/dmarc-analyzer
  2. Drag and drop your report file onto the upload zone, or click to browse
  3. Optionally enter your email address to receive a copy of the results
  4. Click Analyze Report — results appear in a few seconds
Your data is not stored

Reports are processed in memory and immediately discarded. Nothing is saved to our servers.

Accepted file formats

  • .xml — plain aggregate report XML (RFC 7489)
  • .xml.gz — gzip-compressed XML (most providers — Gmail, Outlook, Yahoo)
  • .zip — ZIP archive containing an XML file

Maximum file size: 5 MB. You do not need to decompress the file first — the tool handles it automatically.

What the results show

Pass rate

Percentage of messages that passed DMARC — either SPF or DKIM aligned. Aim for 95%+ before tightening policy.

Sending sources

Every IP address that sent email using your domain, grouped by provider (Google, Outlook, SendGrid, etc.), with individual pass/fail counts for DKIM and SPF.

Recommendations

Prioritised action items based on your report data and live DNS settings — from policy upgrade readiness to specific failing sources that need investigation.

Live DNS records

Your current SPF and DMARC records fetched at analysis time, so you can compare them against what the report shows.

Reading your results

Status indicators

● Pass / Good Configuration is correct and well-configured.
● Warning Works, but could be improved for better security or deliverability.
● Fail / Missing A significant issue that is likely affecting your email deliverability or security.

Where to start fixing issues

  1. Fix any Fail items first — missing SPF, no DMARC, open relay, or blacklist listings have the most impact on deliverability
  2. Then address Warnings — softfail SPF (~all), DMARC at p=none, or pct < 100 leave you partially exposed
  3. Work toward p=reject — the DMARC policy progression is: p=nonep=quarantinep=reject. Aim for reject once your pass rate consistently exceeds 95%
  4. Share the PDF report with your email provider or IT team — they can implement most fixes in under an hour

Finding your DMARC reports

DMARC aggregate reports are emailed to the address in your rua= tag daily. If you haven't set up a rua= address yet, you won't receive reports — add one to your DMARC record first.

Check your current DMARC record

Run a MailCheck scan for your domain and look at the DMARC result. Your record should look something like:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.co.nz; pct=100

If your record has no rua= tag, add one. The email address can be your own inbox or a dedicated mailbox.

Where reports arrive

Reports arrive as email attachments from major mail providers — typically daily, covering the previous 24-hour UTC period:

  • Gmail/Google — from noreply-dmarc-support@google.com, attached as .xml.gz
  • Microsoft/Outlook — from dmarcreport@microsoft.com, attached as .xml.gz or .zip
  • Yahoo — from postmaster@yahoo.com, attached as .xml.gz
  • Others — various senders, always XML attachments

Save the attachment to your computer, then upload it to the DMARC Analyzer.

Tip: start with a Google report

Google sends reports daily and covers a high volume of email — it's usually the most informative report to start with.

Glossary

SPF (Sender Policy Framework)

A DNS TXT record listing which mail servers are authorised to send email for your domain. Receiving servers check this to detect spoofing.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

A DNS policy record that tells receiving servers what to do with mail that fails SPF and/or DKIM — none (monitor), quarantine (spam folder), or reject. Also enables aggregate reports.

DKIM (DomainKeys Identified Mail)

A cryptographic signature added to outgoing email by your mail server, verified by the recipient using a public key published in DNS. Proves the email was not altered in transit.

BIMI (Brand Indicators for Message Identification)

A DNS record pointing to your verified brand logo. Gmail and Apple Mail display the logo in the inbox if your DMARC policy is quarantine or reject and you hold a VMC certificate.

MTA-STS (Mail Transfer Agent Strict Transport Security)

A policy file hosted at https://mta-sts.yourdomain.co.nz/.well-known/mta-sts.txt that forces sending servers to use TLS when delivering to you — prevents downgrade attacks.

DANE (DNS-Based Authentication of Named Entities)

Advanced certificate pinning using TLSA records in DNS — pins your mail server certificate directly so it cannot be substituted by a rogue CA.

SPF Alignment

For DMARC to pass via SPF, the RFC5321 envelope-from domain must match (or be a subdomain of) the From: header domain.

DKIM Alignment

For DMARC to pass via DKIM, the DKIM d= signing domain must match (or be a subdomain of) the From: header domain.

p=none

DMARC monitoring mode — reports are collected but failing mail is not filtered. Use this to understand your traffic before enforcing.

p=quarantine

Failing mail is sent to the spam/junk folder. A good intermediate step.

p=reject

Failing mail is rejected outright. Maximum protection — only safe once your pass rate is consistently high.

pct

The percentage of mail the DMARC policy is applied to. Start at a low value (e.g. pct=10) when tightening policy, then increase toward 100.

rua

The email address that receives DMARC aggregate reports. Add rua=mailto:youraddress to start receiving daily reports.

RBL (Real-time Blackhole List)

A database of IP addresses known to send spam. Mail servers check these lists before accepting email — if your IP is listed, delivery is blocked.

FAQ

Is this really free?
Yes — MailCheck and the DMARC Analyzer are completely free with no account, no rate limit for normal use, and no data stored.
Do you store my domain or report data?
MailCheck results are never saved. DMARC reports are processed in memory and discarded immediately — nothing is written to disk or database.
My domain gets an F score — will my email stop working?
Not immediately, but a low score means your email is more likely to be marked as spam or rejected by receiving servers. Fix Fail items first, then work through Warnings.
What is a DKIM selector?
A selector is a label that identifies which DKIM key a mail provider uses. Common selectors include google, selector1, selector2, k1, and s1. Check your email provider documentation, or look for DKIM-Signature: headers in an email you sent.
My SPF record has too many lookups — what do I do?
Each include: directive counts as one DNS lookup; SPF has a hard limit of 10. Use an SPF flattening service (such as dmarcian or Valimail) or consolidate your include chains to reduce the count.
I set up DMARC but my pass rate is low — why?
Common causes: a legitimate sending service (e.g. newsletter tool, CRM, helpdesk) is not included in your SPF record and has no DKIM set up. Check the Sending Sources table in the DMARC Analyzer to identify which IPs are failing.
How long does it take for DNS changes to take effect?
DNS changes typically propagate within 5–30 minutes for most resolvers, but your TTL (time-to-live) setting can delay this up to 24–48 hours for cached records. Set a low TTL (300 seconds) before making changes.
What file format does the DMARC Analyzer accept?
It accepts .xml (plain XML), .xml.gz (gzip-compressed), and .zip (ZIP archive). You do not need to decompress the file — it is handled automatically.
Can I use these tools for clients if I am an IT provider?
Yes. All tools are publicly accessible. The PDF export from MailCheck is useful for delivering reports to clients.

Ready to check your domain?

Run a free scan in under 30 seconds — no account needed.

Run MailCheck Analyze DMARC Report