Email Deliverability Check

Analyse your domain’s email authentication, routing, and reputation in one scan.

reuters.com

Email Deliverability

Cached Cached · 1 hr ago · renews in 57 min

Showing a cached result — sign up free for always-live lookups and API access. Create free account →

B 83

reuters.com

Solid email deliverability configuration.

8 passed 2 warnings 0 failed Export PDF

Mail Routing

Verifies that your domain has valid mail server records and that they resolve correctly.

PASS

✓

MX Records Mail server routing

2 MX record(s) found.

MX records define where email for your domain is delivered. Without them, no mail can be received. Multiple MX records with different priorities provide automatic failover. An RFC 7505 Null MX (priority 0, host “.”) is detected and shown here — it explicitly declares the domain does not accept email.

Priority	Hostname	Type
10	mxb-00160c04.gslb.pphosted.com	Mail server
10	mxa-00160c04.gslb.pphosted.com	Mail server

Authentication

The three-pillar framework that proves your emails are legitimate and prevents spoofing.

WARN

✓

SPF Sender Policy Framework Hard Fail (-all)

SPF uses -all (hard fail). Strict and recommended.

SPF lists which IP addresses are authorised to send email as your domain. A hard fail (-all) is strongest — receivers reject anything not on the list outright.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all

Mechanism Breakdown 1/10 DNS lookups

Q	Type	Value	Status	Notes & Guidance
+	include	%{ir}.%{v}.%{d}.spf.has.pphosted.com	!	DNS '%{ir}.%{v}.%{d}.spf.has.pphosted.com' does not look like a valid fully-qualified domain name → Fix: include: expects a domain like _spf.example.com
-	all	—	✓

DKIM DomainKeys Identified Mail

DKIM records found but contain tag errors — see breakdown below.

DKIM adds a cryptographic signature to every outgoing message. Receiving servers use your public key (published in DNS) to verify the message hasn't been altered in transit.

199 selectors scanned 4 found Microsoft 365 + Klaviyo

selector1._domainkey Microsoft 365 RSA 1024-bit ⚠ collapse

Tag	Value	Status	Notes & Guidance
v=	DKIM1	✓
k=	rsa	✓
p=	MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwjnBe+Q6zdxEJ…	✓
n=	1024,1450207371,1466018571	i	Human-readable notes field — no validation required

k1._domainkey Klaviyo RSA 1024-bit ⚠ HAS ERRORS expand

Tag	Value	Status	Notes & Guidance
v=	(missing)	✗	Required tag v= is absent. Record must include v=DKIM1
k=	rsa	✓
p=	MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbNrX2cY/GUKIF…	✓

k2._domainkey Klaviyo RSA 2048-bit expand

Tag	Value	Status
v=	DKIM1	✓
k=	rsa	✓
p=	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2aC2KjG…	✓

k3._domainkey Klaviyo RSA 2048-bit expand

Tag	Value	Status
v=	DKIM1	✓
k=	rsa	✓
p=	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsYGiMSn7…	✓

✓

DMARC Domain-based Message Authentication p=reject

DMARC policy is reject. Excellent.

DMARC ties SPF and DKIM together with an enforcement policy. p=reject is the gold standard — it instructs receivers to block unauthenticated mail entirely and protects your domain from spoofing.

v=DMARC1; p=reject; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com

Tag Breakdown

Tag	Value	Status
v=	DMARC1	✓
p=	reject	✓
rua=	mailto:dmarc_rua@emaildefense.proofpoint.com	✓
ruf=	mailto:dmarc_ruf@emaildefense.proofpoint.com	✓

Reports to: mailto:dmarc_rua@emaildefense.proofpoint.com Forensics to: mailto:dmarc_ruf@emaildefense.proofpoint.com

✓

DMARC Reports Aggregate & forensic reporting

DMARC reporting configured. Aggregate (rua): mailto:dmarc_rua@emaildefense.proofpoint.com; Forensic (ruf): mailto:dmarc_ruf@emaildefense.proofpoint.com.

DMARC can send you daily XML reports (rua=) about which servers are sending mail as your domain and whether they pass authentication. Forensic reports (ruf=) include individual failure samples. Without these you are flying blind.

Aggregate (rua) mailto:dmarc_rua@emaildefense.proofpoint.com

Forensic (ruf) mailto:dmarc_ruf@emaildefense.proofpoint.com

Transport Security

Ensures email is delivered over encrypted connections and that TLS failures are reported.

WARN

MTA-STS Enforce inbound TLS

No MTA-STS DNS record found. MTA-STS forces TLS for inbound mail.

MTA-STS forces other mail servers to use TLS encryption when delivering to you, blocking downgrade attacks that would expose messages in transit. It works together with TLSRPT for visibility.

TLSRPT TLS failure reporting

No TLS Reporting (TLSRPT) record. Optional but recommended alongside MTA-STS.

When TLS negotiation fails during inbound delivery, TLSRPT sends you a structured JSON report. This lets you detect misconfigured sending servers or active downgrade attacks targeting your MTA-STS policy.

Brand & Reputation

Brand logo visibility, reverse DNS matching, and blacklist status of your mail servers.

PASS

✓

BIMI Brand logo in email clients

BIMI is configured.

BIMI lets you display your verified brand logo in supporting inboxes (Gmail, Apple Mail, Yahoo). It requires DMARC with quarantine or reject, and an SVG logo hosted at a published URL.

v=BIMI1; l=https://www.reuters.com/static/email/bimi_logo.svg

✓

PTR Records Reverse DNS for MX hosts

All MX server IPs have valid PTR records with forward-confirmed reverse DNS (FCrDNS).

Checks that each MX server IP has a PTR record and that the PTR hostname forward-resolves back to the same IP (FCrDNS). Most spam filters require FCrDNS to pass — a missing or non-confirming PTR raises the spam score of your outbound mail.

MX Host	IP	Ver	PTR	Match
mxb-00160c04.gslb.pphosted.com	205.220.179.180	IPv4	mx0b-00160c04.pphosted.com	✓
mxa-00160c04.gslb.pphosted.com	205.220.179.180	IPv4	mx0b-00160c04.pphosted.com	✓

✓

Blacklist Check 8 DNSBL zone spot-check

1 IP checked against 10 DNSBL zones — all clean.

Checks whether your MX server IPs (IPv4 and IPv6) appear on major spam blocklists (Spamhaus, SpamCop, Barracuda, SORBS, and others). A single listing can cause severe delivery failures at major providers.

205.220.179.180 10 zone checks Clean

Score Breakdown

MX Pass

SPF Pass

DKIM Warn

DMARC Pass

DMARC Reports Pass

MTA-STS Warn

TLSRPT Info

BIMI Pass

PTR Pass

Blacklist Pass

Reference Guide

Mechanisms

Mechanism	Meaning
`all`	Catch-all (always matches)
`a`	Domain's A/AAAA records
`mx`	Domain's MX hosts
`ip4`	IPv4 address / range
`ip6`	IPv6 address / range
`include`	Include another domain's SPF
`exists`	Custom A-record lookup
`ptr`	PTR record check (deprecated)

Qualifiers

Prefix	Result
`+`	Pass (default)
`-`	Fail
`~`	SoftFail
`?`	Neutral

Modifiers

Tag	Purpose
`redirect`	Use another domain's full SPF policy
`exp`	Explanation string on failure

Core Tags

Tag	Purpose / Values
`v`	Version — must be `DMARC1`
`p`	Policy: `none` · `quarantine` · `reject`
`sp`	Sub-domain policy (defaults to `p`)
`adkim`	DKIM alignment: `r` relaxed · `s` strict
`aspf`	SPF alignment: `r` relaxed · `s` strict
`pct`	% of mail policy applies to (0–100)

Reporting Tags

Tag	Purpose
`rua`	Aggregate report URI (`mailto:`)
`ruf`	Forensic report URI (`mailto:`)
`fo`	Failure options: `0` both fail · `1` either fails · `d` DKIM · `s` SPF
`rf`	Report format: `afrf` (default)
`ri`	Reporting interval in seconds (default 86400)

Signature Tags (Mail Header)

Tag	Purpose
`v`	Version — must be `1`
`a`	Algorithm: `rsa-sha256` · `ed25519-sha256`
`d`	Signing domain
`s`	Selector (DNS lookup: `s._domainkey.d`)
`h`	Signed headers list
`b`	Signature value (base64)
`bh`	Body hash
`c`	Canonicalization: `simple` · `relaxed`
`t`	Signature timestamp
`x`	Signature expiry timestamp
`l`	Body length limit

DNS Key Record Tags

Tag	Purpose
`v`	Version — `DKIM1`
`k`	Key type: `rsa` · `ed25519`
`p`	Public key (base64); empty = revoked
`t`	Flags: `y` test mode · `s` strict
`h`	Acceptable hash algorithms
`s`	Service type: `email` · `*`
`n`	Human-readable notes

Also check for reuters.com

DNS Diagnostic

All records, health checks & propagation

WHOIS / RDAP

Registrar, expiry & ownership details

DNSSEC Validation

Chain of trust & signature verification

TLS Certificate

CT log history, SANs & cert details

DNS Propagation

Live check across global resolvers