Email Diagnostics
Free Email Deliverability & Security Audit (SPF, DKIM, DMARC, BIMI, MTA-STS)
A comprehensive automated audit of your domain's email infrastructure - MX, SPF, DKIM (across 25+ ESP selectors), DMARC, BIMI / VMC, MTA-STS, TLS-RPT, DNSSEC, ARC, PTR / rDNS, and 25+ major RBLs. You get a deliverability health score, a sender-requirements compliance check (Google, Yahoo, Microsoft Outlook, and Apple iCloud Mail), and copy-pasteable DNS fixes - in minutes.
- Validates MX, PTR / rDNS, DNSSEC, SPF (10-DNS-lookup audit), DKIM across 25+ ESP selectors, DMARC, BIMI / VMC, ARC, MTA-STS, TLS-RPT, and TLS 1.2 / 1.3
- Cross-references 25+ major RBLs - Spamhaus ZEN, Barracuda BRBL, SpamCop, SORBS, SURBL, URIBL, CBL, Sender Score - plus the MXToolbox set
- Aligned with the Google and Yahoo (2024) and Microsoft Outlook (2025) sender requirements, plus Apple iCloud Mail guidance - a first run typically surfaces 4-8 deliverability-critical gaps
- No sign-up required for DNS results
- Multi-resolver authoritative lookups
- Google, Yahoo & Microsoft sender check
- Copy-pasteable DNS record fixes
Supported Platforms
What We Audit Across Your Email Infrastructure
Six checks across MX / DNSSEC, SPF, DKIM, DMARC / BIMI / ARC, MTA-STS / TLS-RPT, and 25+ RBLs - aligned with the Google and Yahoo (2024) and Microsoft Outlook (2025) sender requirements, plus Apple iCloud Mail guidance.
MX, PTR / rDNS & DNSSEC Validation
Verifies mail-exchange records and routing, validates PTR / reverse DNS for every sending IP (a hard requirement for Gmail, Yahoo, and Microsoft inboxing), and confirms DNSSEC chain validity. Detects misrouted MX, missing PTR, residential IP space, and DNSSEC gaps.
SPF Policy & 10-DNS-Lookup-Limit Audit
Validates your SPF record authorises every legitimate sender (Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailgun, Postmark, Mailchimp, Klaviyo, HubSpot, Salesforce), checks syntax, void lookups, the SPF 10-DNS-lookup limit (RFC 7208 §4.6.4), and recommends ~all → -all hardening.
DKIM Discovery Across 25+ ESP Selectors
Detects DKIM signing keys across 25+ common selectors - Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailgun, Postmark, Mailchimp, Klaviyo, HubSpot, Salesforce, Zendesk, Resend, Brevo, ConvertKit, Iterable, Braze, Marketo, Pardot, Zoho. Validates key length (2048-bit recommended), p= field, and revocation.
DMARC, BIMI, ARC & List-Unsubscribe Enforcement
Assesses DMARC policy alignment (relaxed vs strict, sp=), quarantine / reject enforcement, rua / ruf reporting, BIMI with VMC / CMC certificate validation (the Apple / Gmail / Yahoo branded-sender prerequisite), ARC for forwarded mail, and one-click list-unsubscribe (RFC 8058).
MTA-STS, TLS-RPT & TLS Inbound Encryption
Validates MTA-STS policy (mode=enforce vs testing), TLS-RPT reporting endpoint, and confirms inbound MX servers negotiate TLS 1.2 or 1.3 with valid certificates. Identifies expired certs, weak ciphers, and missing STS files that silently drop deliverability.
Blacklist Monitoring (25+ RBLs) & Sender Reputation
Cross-references your mail-server IPs and sending domain against 25+ major RBLs (Spamhaus ZEN, Barracuda BRBL, SpamCop, SORBS, SURBL, URIBL, Composite Blocking List, Invaluement, Sender Score, MXToolbox set) plus domain-reputation signals. Produces a 0-100 health score and prioritised checklist.
How It Works
Enter Your Domain
Type your domain (e.g. company.com) into the live diagnostics panel - no sign-up required for instant DNS, SPF, DKIM, DMARC, BIMI, MTA-STS, and DNSSEC results across the public DNS surface.
(Optional) Reply to the Verification Email
For full DKIM and ARC analysis, you'll get an email from [email protected] - reply and we read live headers to validate DKIM signatures across every selector you sign with, plus ARC chain integrity. Skip for a DNS-only report.
Automated Multi-Resolver Analysis
We run authoritative DNS lookups across multiple resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9, OpenDNS), header parsing, BIMI / VMC certificate validation, MTA-STS file fetch, TLS handshake against your MX, and 25+ RBL cross-referencing - all in parallel.
Receive Your Report
Get a detailed diagnostic report with an overall deliverability health score, the Google, Yahoo, Microsoft Outlook, and Apple iCloud Mail sender-requirements compliance check, copy-pasteable DNS fixes for every finding, and a prioritised remediation checklist.
What You Get
Your report will include the following deliverables.
Find the silent deliverability gap before your next campaign tanks.
Get an instant, free email diagnostics report covering SPF, DKIM, DMARC, BIMI, MTA-STS, ARC, DNSSEC, and 25+ RBLs - aligned with the Google, Yahoo, and Microsoft Outlook sender requirements, plus Apple iCloud Mail guidance. No sign-up required for the DNS layer.
Run My Email AuditHow We Handle Your Domain & Email Headers
An email diagnostics audit must never become a privacy incident. Here is exactly what we read - and what never leaves your environment.
Public DNS & Public RBLs Only
The DNS-layer audit reads only public DNS records (MX, A, AAAA, TXT, SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DNSSEC) and queries only public RBL services. We never connect to your mail server beyond the standard MTA-STS / TLS handshake, never attempt authentication, and never read mailboxes.
Email Header Reply - Headers Only, Body Discarded
If you choose the optional verification reply, we read only the email headers (DKIM-Signature, ARC-*, Authentication-Results, Received chain, From, Return-Path) needed to validate DKIM and ARC signatures. The message body is discarded immediately and never logged. Replies from non-matching domains are dropped without analysis.
Auto-Deleted After Report Delivery
As soon as your Email Diagnostics report is delivered, every captured header, every RBL response, and every DNS export is deleted. Only the aggregate, anonymised score is retained for QA - never your domain identifiers, sender IPs, or DKIM key contents.
Frequently Asked Questions
The most common questions we hear from teams running this assessment.
Do I really need DMARC, BIMI, and one-click unsubscribe in 2026?
Yes. The Google and Yahoo bulk-sender requirements that went into force in February 2024, plus Microsoft's high-volume sender requirements for Outlook that began enforcement in May 2025, now make DMARC alignment, one-click list-unsubscribe (RFC 8058), TLS encryption, and a low spam-complaint rate a hard prerequisite for inboxing. Google and Yahoo apply the full bulk-sender rules at 5,000+ messages per day, and Microsoft applies its requirements to high-volume senders to Outlook / Hotmail / Live - while basic SPF, DKIM, and DMARC is now expected of every sender. Apple iCloud Mail's postmaster guidance recommends the same SPF, DKIM, and DMARC foundations. BIMI with a VMC or CMC certificate is the prerequisite for the branded sender icon in Apple Mail, Gmail, and Yahoo. Without these, deliverability silently drops to spam folders without any bounce code.
What is the SPF 10-DNS-lookup limit and why does it matter?
SPF (RFC 7208) caps the number of DNS lookups during evaluation at 10 - if your record exceeds this (very common when stacking Google Workspace, Microsoft 365, SendGrid, Mailgun, HubSpot, Salesforce, Zendesk, and a custom MTA), receivers return permerror and your SPF stops authenticating. The audit counts every include / a / mx / ptr / exists / redirect lookup, recursively, and recommends SPF flattening or sender consolidation when you exceed the limit.
Which DKIM selectors do you check?
25+ common ESP selectors covering Google Workspace (google), Microsoft 365 / Exchange Online (selector1, selector2), Amazon SES (multiple), SendGrid / Twilio (s1, s2), Mailgun (k1, mailo), Postmark (pm), Mailchimp / Mandrill (k1, mte1, mte2), Klaviyo (kl1, kl2, klaviyo), HubSpot (hs1, hs2), Salesforce Marketing Cloud (200608, 200902, scoped), Zendesk (zendesk1, zendesk2), Front, Customer.io, Loops, Resend (resend), Brevo / Sendinblue (mail), ConvertKit / Kit, Iterable, Braze, ActiveCampaign, Drip, Marketo (m1), Pardot, Zoho (zoho), and any custom selectors discovered via header reply.
Will the audit affect my email sending or deliverability?
No. The audit performs read-only DNS lookups, public RBL queries, an MTA-STS file fetch, and a single TLS handshake against your inbound MX servers. It never sends mail from your domain, never authenticates, never reads mailboxes, and produces no detectable load on your infrastructure.
What does the deliverability score actually mean?
A weighted 0-100 score combining authentication strength (SPF / DKIM / DMARC enforcement and alignment), reputation (RBL listings, sender-domain reputation, IP reputation), encryption (MTA-STS, TLS-RPT, TLS 1.2 / 1.3 inbound), brand (BIMI / VMC), forwarding integrity (ARC), and bulk-sender compliance (one-click list-unsubscribe, DMARC enforcement, low spam complaint rate). Anything under 70 is an active deliverability risk; under 50 means meaningful inboxing problems are already happening.
Do you cover Microsoft's new Outlook sender requirements?
Yes. Microsoft's new requirements for high-volume senders to Outlook / Hotmail / Live - announced in April 2025 and enforced from May 2025 - are part of the compliance check. For domains sending more than 5,000 messages a day, Microsoft requires SPF, DKIM, and DMARC (at least p=none, with alignment); non-compliant mail is rejected with a 550 5.7.515 error. We check these alongside the Sender Best Practices for Outlook.com.
Is the report really free, with no sign-up?
The DNS-layer report (MX, PTR, DNSSEC, SPF, DKIM via standard selectors, DMARC, BIMI, MTA-STS, TLS-RPT, RBLs) is free and requires no sign-up. The optional verification reply (which captures live DKIM and ARC headers from a real send) only requires you to reply to the verification email from [email protected] - no account, no credit card, no commitment.
Register for Your Free Email Diagnostics
Fill out the form below and our team will get back to you within 2 business days.
You Might Also Be Interested In
SDLC Security Gates Audit
Free SDLC and software supply chain audit - branch protection, signed commits, SBOM, SLSA provenance, SAST / DAST / SCA, secrets scanning, runner hardening, and AI-coding-agent governance - verified by a senior security engineer and aligned with SLSA, SSDF, and OWASP SAMM.
Cloud IAM & Permissions Audit
Free read-only audit of your AWS, Azure, and GCP IAM - over-permissive roles, stale credentials, privilege escalation paths, OIDC and federated trust, SCPs and permission boundaries - using IAM Access Analyzer, Access Advisor, IAM Recommender, PMapper, Prowler, and ScoutSuite, verified by a senior cloud-security engineer.
Container & Docker Security Audit
Free read-only audit of your Dockerfiles, base images, build pipelines, and registries - combining Trivy, Grype, Hadolint, Dockle, Syft SBOMs, and Cosign signing checks against the CIS Docker Benchmark, NIST SSDF, and SLSA Build levels - verified by a senior security engineer.