NextlyTools
Security Tools

Email Security Checker

Analyze SPF, DMARC, DKIM, MTA-STS and full anti-spoofing posture for any domain.

Try: gmail.com microsoft.com cloudflare.com
45 F
High risk
SPF
70
DMARC
15
DKIM
20
DNS Sec
50
gmail.com scored 45/100 (F). ⚠ Critical: This domain can be spoofed — DMARC enforcement missing. MTA-STS enforced.
SPF Authentication
70/100
C
  • No "all" mechanism found — SPF record is incomplete
v=spf1 redirect=_spf.google.com
DMARC Policy
15/100
F
  • Policy p=none — monitoring only, no enforcement against spoofing
  • Aggregate reports (rua) configured
p=none pct=100% rua ✓
DKIM Signing
20/100
F
  • No DKIM records found for common selectors
MX & Mail Routing
80/100
B
  • 5 MX record(s) found
  • Priority 5: gmail-smtp-in.l.google.com
  • Priority 10: alt1.gmail-smtp-in.l.google.com
MTA-STS
100/100
Enabled
  • MTA-STS enabled, mode: enforce
  • Policy file accessible
TLS-RPT
100/100
Configured
  • TLS-RPT configured — TLS failure reporting enabled
BIMI Brand
0/100
Optional
  • BIMI not configured (optional — requires p=reject DMARC first)
DNS Security
50/100
F
  • DNSSEC not configured — DNS spoofing possible
  • CAA records configured — certificate issuance restricted

Prioritized recommendations

Critical
Upgrade DMARC from p=none to p=reject
p=none monitors only — it provides zero protection. Attackers can still spoof your domain.
Change p=none → p=quarantine (then → p=reject after verifying email flows)
Critical
Enable DKIM signing
No DKIM keys found. Without DKIM, email cannot be cryptographically verified and DMARC alignment fails.
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=<2048-bit-public-key>"
Low
Consider BIMI for brand visibility
BIMI displays your logo in Gmail, Yahoo and other clients. Requires p=reject DMARC first.
default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/logo.svg"