3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

Domain Health Checker

Comprehensive email security audit: SPF, DKIM, DMARC, MTA-STS, BIMI, and more

What gets checked?

SPFRecord presence, policy strength, lookup count
DMARCPolicy level, reporting config, percentage
DKIMCommon selectors (google, default, s1, etc.)
MXMail server records
MTA-STSTLS enforcement policy
BIMIBrand logo in email clients

Scoring

SPF: 25 points
DMARC: 30 points
DKIM: 20 points
MX: 10 points
MTA-STS: 10 points
BIMI: 5 points
Total: 100 points

Want automated management?

DMARC Busta's Autopilot manages SPF, DKIM, and DMARC automatically with AI-powered decisions.

Get Started Free

What Makes a Domain Healthy for Email?

A layered defence where each protocol handles a different aspect of email security

A healthy domain is one where all email authentication protocols work together to protect your organisation from spoofing, phishing, and deliverability problems. Think of it as a layered defence: each protocol handles a different aspect of email security, and gaps in any layer leave your domain vulnerable.

SPF (Sender Policy Framework) defines which mail servers are authorised to send email on behalf of your domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when authentication fails and provides reporting so you can monitor abuse. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages, proving they have not been tampered with in transit.

Beyond these three core protocols, MX records ensure mail is routed to the correct servers, MTA-STS enforces encrypted connections between mail servers, and BIMI allows your brand logo to appear in supported email clients. A truly healthy domain has all of these configured correctly and working in harmony.

Our Domain Health Checker evaluates each of these protocols and produces a single score and grade, giving you a clear picture of where your domain stands and what needs attention.

Example Health Report
SPF Pass
DKIM Pass
DMARC Fail
MX Pass
MTA-STS Missing
Score 65/100 C

Six Protocols Checked

1
SPF — authorised sending servers
2
DKIM — cryptographic message signing
3
DMARC — policy and reporting
4
MX, MTA-STS, and BIMI

What This Tool Checks

A comprehensive audit of six email authentication protocols in a single scan

SPF Record Presence & Validity

Verifies that your domain publishes a valid SPF record and checks for common issues such as exceeding the 10 DNS lookup limit or using overly permissive policies.

DMARC Policy Strength

Evaluates whether your DMARC record exists, its policy level (none, quarantine, or reject), reporting configuration, and percentage coverage.

DKIM Configuration

Scans common DKIM selectors to confirm that your domain has active signing keys published in DNS, ensuring outbound messages can be verified.

MX, MTA-STS & BIMI

Confirms that MX records are present and correctly prioritised, checks for MTA-STS TLS enforcement policies, and validates BIMI brand logo records.

How to Improve Your Domain Score

Actionable fixes for the most common issues that lower your health grade

Missing DMARC Record

If your domain has no DMARC record, you are missing out on both protection and visibility. Fix: Start with a monitoring policy (p=none) to receive reports on who is sending email using your domain, then progressively tighten enforcement as you gain confidence in your authorised senders. Use our DMARC Generator to create your record.

Weak DMARC Policy

A DMARC policy of none provides reporting but does not instruct receivers to block unauthorised email. Fix: Progress through quarantine to reject over time. This gradual approach ensures legitimate mail is not disrupted while you close security gaps.

SPF Configuration Issues

Common SPF problems include exceeding the 10 DNS lookup limit, using overly permissive mechanisms like +all, or missing authorised sending services. Fix: Review your SPF record with our SPF Checker to ensure it accurately reflects all services that send email on your behalf.

No DKIM Signing

Without DKIM, your messages lack cryptographic proof of authenticity. Fix: Most email providers and third-party services offer DKIM signing — check with each service for their specific setup instructions. Use our DKIM Generator to create your signing keys. Once configured, DKIM significantly improves both security and deliverability.

Automate this: Managing all these protocols across multiple domains can be complex. DMARC Busta's Autopilot feature handles progressive DMARC enforcement, SPF source management, and DKIM monitoring automatically.

Frequently Asked Questions

What is domain health?
Domain health is an overall assessment of your email authentication configuration. It evaluates whether your domain has properly configured SPF, DKIM, DMARC, MX, MTA-STS, and BIMI records. A high domain health score indicates that your email infrastructure is well-protected against spoofing and phishing, and that your legitimate emails are more likely to be delivered successfully.
How do I improve my domain score?
Start by configuring all three core authentication protocols: SPF, DKIM, and DMARC. Ensure your SPF record includes all authorised sending services and stays within the 10 DNS lookup limit. Publish DKIM keys for each service that sends email on your behalf. Then progressively strengthen your DMARC policy from none to quarantine and eventually to reject. Adding MTA-STS and BIMI will further boost your score.
Does domain health affect email deliverability?
Yes. Major email providers such as Google, Microsoft, and Yahoo actively check authentication records when deciding whether to deliver, quarantine, or reject incoming messages. Domains with strong authentication are more likely to reach the inbox, while domains with missing or misconfigured records face higher rates of spam filtering and rejection.
What's the difference between domain health and DMARC?
DMARC is one component of domain health. While DMARC focuses specifically on email authentication policy and reporting, domain health encompasses all protocols that contribute to email security and deliverability — including SPF, DKIM, MX records, MTA-STS, and BIMI. A domain can have a valid DMARC record but still score poorly if other protocols are misconfigured.

Related Tools

More free tools to secure your email authentication

Domain Scanner

Full domain security scan across all protocols.

SPF Checker

Validate SPF records and count DNS lookups.

DMARC Generator

Generate a DMARC policy to protect against spoofing.

Header Analyser

Analyse email headers for authentication results.

Monitor Domain Health Across All Your Domains

DMARC Busta continuously monitors SPF, DKIM, and DMARC for every domain you manage — with AI-powered recommendations and automated fixes.

Start Monitoring Free