43 checks. 100-point score. Every control mapped to a published standard. This page explains exactly what we measure, how we weight it, and what the score means for your inbox placement.
Scores are expressed as a percentage (0–100) and mapped to a letter grade. The grade reflects the overall health of your email infrastructure — not just one or two checks.
Every major control is correctly configured and enforced. DMARC is at p=reject, authentication is fully aligned, reputation is clean, and compliance signals are present. This is the standard for organizations that treat email infrastructure as a security asset.
Core authentication is in place and enforced. Minor gaps may exist in lower-tier controls (DANE, BIMI, IPv6) that do not affect current deliverability. The primary risk at this level is configuration drift — records change, and most organizations have no one watching.
A solid foundation with measurable gaps. DMARC may be present but not enforced (p=none), or SPF/DKIM may have alignment issues. At this level, a meaningful share of outbound email is likely landing in spam at enterprise gateways — not all of it, but enough to matter.
Multiple critical controls are missing or misconfigured. Inbox placement is unreliable. Enterprise security gateways are likely filtering a significant share of outbound mail. The issues at this level are fixable — most take under an hour — but they require deliberate action.
Critical infrastructure gaps are almost certainly causing inbox placement failures right now. Blacklist listings, missing DMARC, or absent PTR records at this level are not theoretical risks — they are active delivery problems.
The domain has fundamental email infrastructure failures. Email from this domain is being rejected or silently discarded by most enterprise mail systems. Immediate remediation is required.
How the score is calculated — and what it does and does not measure.
Tiered Weighting
Not all checks carry equal weight. Controls are classified as High, Medium, or Low impact based on their documented effect on inbox placement and deliverability. High-impact controls (DMARC enforcement, blacklist status, PTR records) have a substantially larger effect on the final score than Low-impact controls (IPv6, OCSP stapling).
Standards-Based, Not Opinion-Based
Every control this tool measures is a documented requirement in at least one major cybersecurity framework: CISA BOD 18-01, NIST SP 800-177, CIS Controls v8, PCI DSS v4.0, ISO 27001:2022, NIST CSF 2.0, FedRAMP, or SOC 2. The score reflects alignment with published standards — not our preferences.
Live DNS Resolution
Every scan queries DNS in real time. Results reflect your current configuration at the moment of the scan — not a cached snapshot. This means a score can change between scans if DNS records are updated, TTLs expire, or blacklist listings change.
Partial Credit for Partial Compliance
Some controls award partial credit for partial compliance. DMARC at p=none scores lower than p=quarantine, which scores lower than p=reject — because enforcement level is what actually stops spoofing. SPF with too many lookups scores lower than a clean, flattened record.
Score vs. Deliverability
A high score means your infrastructure is correctly configured and ready to support strong deliverability. It does not guarantee inbox placement for every message — that also depends on list hygiene, engagement rates, content, and sending volume. The score measures the infrastructure layer that most organizations get wrong.
What We Do Not Publish
Exact numeric weights per check are not published. This prevents gaming the score by optimizing for the metric rather than the underlying security posture. The tier classification (High / Medium / Low) is disclosed for every check so you can prioritize remediation correctly.
Impact Tiers
Directly controls whether email is accepted or filtered. Failures here cause measurable inbox placement losses.
Affects deliverability indirectly or affects specific receiver environments. Gaps here accumulate over time.
Forward-compatibility or niche-receiver signals. Important for completeness but not the first priority.
Organized by category. Each check shows its impact tier and, where relevant, a note explaining what the check actually measures and why it matters.
The foundational layer. These records tell receiving mail servers whether your domain is authorized to send email and whether messages have been tampered with in transit. Google and Yahoo's bulk sender requirements mandate enforcement here.
Reputation signals are evaluated by inbox providers before content is even considered. A domain on a major blacklist will be rejected or silently filtered regardless of authentication. These checks are weighted heavily because they reflect real-world sending history.
Infrastructure checks cover the DNS records that receiving servers use to validate your sending setup. A missing PTR record or misconfigured MX is one of the most common causes of enterprise gateway rejection — and one of the most overlooked.
These checks reflect the signals that inbox providers use to decide where email lands — beyond authentication. They cover compliance requirements (CAN-SPAM, GDPR), list hygiene signals, and the web infrastructure that URL reputation scanners evaluate when links appear in your emails.
Every control this tool measures is a documented requirement in at least one major cybersecurity framework. A strong score is audit-ready evidence. A weak score is a documented finding.
CISA BOD 18-01
DMARC p=reject mandated for all U.S. federal agencies
NIST SP 800-177
The only NIST publication written entirely about email security
CIS Controls v8
Safeguard 9.5 makes DMARC a required control
PCI DSS v4.0
Requirement 5.4 names DMARC as a required anti-phishing control
ISO 27001:2022
Annex A Controls 8.23 and 5.14 map to email authentication
NIST CSF 2.0
DMARC and SPF enforcement map to the PROTECT function
FedRAMP
Required for cloud services used by U.S. federal agencies
SOC 2
Auditors request DMARC, SPF, and DKIM as Security trust criteria evidence
The scan runs 43 checks in under 30 seconds. No account required. Results are immediate and include exact DNS records to copy and paste.
We use cookies to improve your experience. Essential cookies are always active. Learn more