NextlyTools
Security Tools

Email Security Checker

Analyze SPF, DMARC, DKIM, MTA-STS and full anti-spoofing posture for any domain.

Try: gmail.com microsoft.com cloudflare.com
77 C
Moderate risk
SPF
100
DMARC
100
DKIM
45
DNS Sec
100
cloudflare.com scored 77/100 (C). ✓ Strong protection against domain spoofing and BEC attacks. DKIM active on 2 selector(s).
SPF Authentication
100/100
A+
  • SPF record is properly configured
  • SPF uses -all — strong reject policy
v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include...
DMARC Policy
100/100
A+
  • Policy p=reject — full spoofing protection active
  • Aggregate reports (rua) configured
p=reject pct=100% rua ✓
DKIM Signing
45/100
F
  • DKIM active with selector(s): k1, s1
  • Selector k1: RSA 1024-bit key — upgrade to 2048-bit
  • Selector s1: RSA 1024-bit key — upgrade to 2048-bit
k1 s1
MX & Mail Routing
80/100
B
  • 4 MX record(s) found
  • Priority 5: mxa-canary.global.inbound.cf-emailsecurity.net
  • Priority 5: mxb-canary.global.inbound.cf-emailsecurity.net
MTA-STS
0/100
Missing
  • MTA-STS not configured — no TLS enforcement for inbound mail
TLS-RPT
0/100
Missing
  • TLS-RPT not configured — add _smtp._tls TXT record
BIMI Brand
100/100
Configured
  • BIMI record found
  • SVG logo URL configured
DNS Security
100/100
A+
  • DNSSEC enabled — DNS tampering protection active
  • CAA records configured — certificate issuance restricted

Prioritized recommendations

Medium
Deploy MTA-STS
MTA-STS enforces TLS for inbound mail delivery, preventing downgrade attacks.
_mta-sts.yourdomain.com TXT "v=STSv1; id=202401010000"
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 86400
Low
Enable TLS-RPT reporting
Receive alerts when TLS delivery failures occur on inbound mail.
_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com"