MailCheck

SPF · DKIM · DMARC · Blacklists · SMTP · WHOIS · and more

Custom DKIM Selector:

DNS Checks5 of 5

Connectivity2 of 2

Reputation3 of 3

Advanced0 of 3

—

—/100

Health Score

DNS Checks

MX Records—

What: MX records tell the internet which servers accept email for your domain.

Why: Without correct MX records, nobody can send you email.

SPF—

What: SPF lists which servers are authorised to send email from your domain.

Why: Prevents spammers forging your domain. A strict -all policy means unauthorised senders are rejected.

Record Generator

Mail server IP or hostname

Include provider

Policy

SPF Include Chain—

What: Recursively expands all include: directives to show every authorised IP address.

Why: SPF has a hard limit of 10 DNS lookups. Exceeding it causes a permerror and email may be rejected.

DMARC—

What: DMARC ties SPF and DKIM together and tells receivers what to do when email fails authentication.

Why: Without DMARC reject, anyone can send email appearing to be from your domain.

Record Generator

Policy

Aggregate report email (rua)

Forensic report email (ruf) — optional

Percentage

DKIM—

What: DKIM adds a cryptographic signature to outgoing email so recipients can verify it hasn't been altered.

Why: Required for DMARC alignment.

Connectivity

SMTP Connection Tests—

What: Tests live TCP connections on ports 25, 587 and 465.

Why: STARTTLS encrypts mail in transit. Servers without TLS expose content.

Open Relay & Catch-All—

Open Relay: Tests whether your server forwards email to arbitrary external addresses.

Catch-All: Tests whether the server accepts email to any address at your domain.

Reputation

Blacklists (RBL)—

What: Real-time Blackhole Lists — databases of IPs known to send spam. Checks 24+ RBLs.

Why: A listing causes email to be dropped or spam-foldered at major providers.

Domain Info (WHOIS)—

What: Registration data — age, registrar, expiry, DNSSEC and status flags.

Why: New domains are penalised by spam filters. Expired domains stop delivering email.

IP Reputation—

What: Organisation, ASN, ISP, city and proxy/hosting detection for each MX server IP.

Why: Confirms mail is sent from expected infrastructure.

AdvancedOptional

BIMI—

What: BIMI displays your brand logo next to authenticated emails in Gmail and Apple Mail.

Why: Requires DMARC quarantine or reject. A VMC is needed for Gmail.

Record Generator

SVG logo URL (HTTPS)

VMC certificate URL (optional)

MTA-STS & TLS-RPT—

What is MTA-STS? MTA Strict Transport Security forces other mail servers to use TLS when delivering email to you — and to verify your certificate is valid. Without it, a network attacker can strip TLS and read mail in transit.

What is TLS-RPT? TLS Reporting tells sending servers where to email daily reports when TLS negotiation fails. It's how you find out if MTA-STS or DANE is silently blocking delivery.

MTA-STS requires 3 things

DNS TXT record at _mta-sts.yourdomain.com — just a version and policy ID

Policy file served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt — this subdomain needs a valid TLS certificate

TLS-RPT DNS record at _smtp._tls.yourdomain.com — an email address for failure reports

Policy modes

testing — reports failures but does not block delivery. Start here.

enforce — rejects delivery if TLS or certificate validation fails. Move here once you've confirmed no false positives.

none — policy is effectively disabled. Only useful during rollback.

Policy ID

The policy ID must change every time you update the policy file — senders cache it. Use a datestamp like 20240601120000. If you change the policy without updating the ID, senders will keep using the cached old policy.

More email security guides

Record & File Generator

Policy mode

Policy ID (change this every time you update the policy)

MX hostname (repeat field for multiple MX hosts)

TLS-RPT report email

DANE / TLSA—

What: DANE pins your mail server's TLS certificate in DNS via TLSA records.

Why: Requires DNSSEC. Prevents TLS certificate spoofing on MX servers.

Header Analyser

Trace delivery path · Check authentication · Detect anomalies

BIMI SVG Converter

Convert any SVG or raster PNG/JPG to BIMI-compliant SVG 1.2 Tiny P/S

Upload Logo

Drop your logo here

SVG, PNG, JPG · Max 5 MB

BIMI Requirements

SVG 1.2 Tiny P/S profile

Square viewBox (1:1 ratio)

No scripts or animations

No external references

width/height set to 100%

<title> element present

Converted SVG—