Email Deliverability Check

Analyse your domain’s email authentication, routing, and reputation in one scan.

signal.org

Email Deliverability

Cached Cached · 1 hr ago · renews in 39 min

Showing a cached result — sign up free for always-live lookups and API access. Create free account →

D 66

signal.org

Acceptable setup — a few gaps to address.

7 passed 2 warnings 1 failed Export PDF

Mail Routing

Verifies that your domain has valid mail server records and that they resolve correctly.

PASS

✓

MX Records Mail server routing

5 MX record(s) found.

MX records define where email for your domain is delivered. Without them, no mail can be received. Multiple MX records with different priorities provide automatic failover. An RFC 7505 Null MX (priority 0, host “.”) is detected and shown here — it explicitly declares the domain does not accept email.

Priority	Hostname	Type
1	aspmx.l.google.com	Mail server
5	alt1.aspmx.l.google.com	Mail server
5	alt2.aspmx.l.google.com	Mail server
10	aspmx3.googlemail.com	Mail server
10	aspmx2.googlemail.com	Mail server

Authentication

The three-pillar framework that proves your emails are legitimate and prevents spoofing.

WARN

SPF Sender Policy Framework Soft Fail (~all)

SPF uses ~all (soft fail). Consider upgrading to -all.

SPF lists which IP addresses are authorised to send email as your domain. A hard fail (-all) is strongest — receivers reject anything not on the list outright.

v=spf1 include:_spf.google.com ~all

Mechanism Breakdown 1/10 DNS lookups

Q	Type	Value	Status	Notes & Guidance
+	include	_spf.google.com	✓	DNS
~	all	—	✓

✓

DKIM DomainKeys Identified Mail

DKIM records found for selector(s): google. Provider: Google Workspace.

DKIM adds a cryptographic signature to every outgoing message. Receiving servers use your public key (published in DNS) to verify the message hasn't been altered in transit.

199 selectors scanned 1 found Google Workspace

google._domainkey Google Workspace RSA 1024-bit ⚠ collapse

Tag	Value	Status
v=	DKIM1	✓
k=	rsa	✓
p=	MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSYE2OjxFNy7pT…	✓

DMARC Domain-based Message Authentication p=quarantine

DMARC policy is quarantine. Consider upgrading to reject.

DMARC ties SPF and DKIM together with an enforcement policy. p=reject is the gold standard — it instructs receivers to block unauthenticated mail entirely and protects your domain from spoofing.

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@signal.org

Tag Breakdown

Tag	Value	Status	Notes & Guidance
v=	DMARC1	✓
p=	quarantine	!	Policy 'quarantine' sends suspicious mail to spam — consider upgrading to reject → Fix: Change to p=reject for maximum protection once you are confident your SPF and DKIM are correct
pct=	100	✓
rua=	mailto:dmarc@signal.org	✓

Reports to: mailto:dmarc@signal.org

✓

DMARC Reports Aggregate & forensic reporting

DMARC reporting configured. Aggregate (rua): mailto:dmarc@signal.org.

DMARC can send you daily XML reports (rua=) about which servers are sending mail as your domain and whether they pass authentication. Forensic reports (ruf=) include individual failure samples. Without these you are flying blind.

Aggregate (rua) mailto:dmarc@signal.org

Tip: Add ruf=mailto:forensic@yourdomain.com to receive individual failure samples for investigation.

Transport Security

Ensures email is delivered over encrypted connections and that TLS failures are reported.

PASS

✓

MTA-STS Enforce inbound TLS

MTA-STS is configured.

MTA-STS forces other mail servers to use TLS encryption when delivering to you, blocking downgrade attacks that would expose messages in transit. It works together with TLSRPT for visibility.

v=STSv1;id=20260327162351;

✓

TLSRPT TLS failure reporting

TLSRPT is configured.

When TLS negotiation fails during inbound delivery, TLSRPT sends you a structured JSON report. This lets you detect misconfigured sending servers or active downgrade attacks targeting your MTA-STS policy.

v=TLSRPTv1;rua=mailto:smtp-tls-reports@signal.org;

Brand & Reputation

Brand logo visibility, reverse DNS matching, and blacklist status of your mail servers.

FAIL

BIMI Brand logo in email clients

No BIMI record. BIMI enables brand logo display in supporting email clients.

BIMI lets you display your verified brand logo in supporting inboxes (Gmail, Apple Mail, Yahoo). It requires DMARC with quarantine or reject, and an SVG logo hosted at a published URL.

✓

PTR Records Reverse DNS for MX hosts

All MX server IPs have valid PTR records with forward-confirmed reverse DNS (FCrDNS).

Checks that each MX server IP has a PTR record and that the PTR hostname forward-resolves back to the same IP (FCrDNS). Most spam filters require FCrDNS to pass — a missing or non-confirming PTR raises the spam score of your outbound mail.

MX Host	IP	Ver	PTR	Match
aspmx.l.google.com	142.251.127.27	IPv4	lcfrai-in-f27.1e100.net	✓
aspmx.l.google.com	2a00:1450:4001:c21::1b	IPv6	lcfrai-in-f27.1e100.net	✓
alt1.aspmx.l.google.com	192.178.213.26	IPv4	yugrqzs-in-f26.1e100.net	✓
alt1.aspmx.l.google.com	2a00:1450:4010:c22::1b	IPv6	yulpptr-in-f27.1e100.net	✓
alt2.aspmx.l.google.com	142.251.127.26	IPv4	lcfrai-in-f26.1e100.net	✓
alt2.aspmx.l.google.com	2404:6800:4000:1025::1b	IPv6	lcbomp-in-f27.1e100.net	✓

✗

Blacklist Check 8 DNSBL zone spot-check

Listed on: 2a00:1450:4001:c21::1b on dnsbl.spfbl.net.

Checks whether your MX server IPs (IPv4 and IPv6) appear on major spam blocklists (Spamhaus, SpamCop, Barracuda, SORBS, and others). A single listing can cause severe delivery failures at major providers.

142.251.127.27 2a00:1450:4001:c21::1b 192.178.213.26 2a00:1450:4010:c22::1b 142.251.127.26 2404:6800:4000:1025::1b 60 zone checks

LISTED 2a00:1450:4001:c21::1b on dnsbl.spfbl.net

Action required: Visit each blocklist above to request delisting. A listing on Spamhaus or Barracuda can cause rejection at major email providers.

Score Breakdown

MX Pass

SPF Warn

DKIM Pass

DMARC Warn

DMARC Reports Pass

MTA-STS Pass

TLSRPT Pass

BIMI Info

PTR Pass

Blacklist Fail

Reference Guide

Mechanisms

Mechanism	Meaning
`all`	Catch-all (always matches)
`a`	Domain's A/AAAA records
`mx`	Domain's MX hosts
`ip4`	IPv4 address / range
`ip6`	IPv6 address / range
`include`	Include another domain's SPF
`exists`	Custom A-record lookup
`ptr`	PTR record check (deprecated)

Qualifiers

Prefix	Result
`+`	Pass (default)
`-`	Fail
`~`	SoftFail
`?`	Neutral

Modifiers

Tag	Purpose
`redirect`	Use another domain's full SPF policy
`exp`	Explanation string on failure

Core Tags

Tag	Purpose / Values
`v`	Version — must be `DMARC1`
`p`	Policy: `none` · `quarantine` · `reject`
`sp`	Sub-domain policy (defaults to `p`)
`adkim`	DKIM alignment: `r` relaxed · `s` strict
`aspf`	SPF alignment: `r` relaxed · `s` strict
`pct`	% of mail policy applies to (0–100)

Reporting Tags

Tag	Purpose
`rua`	Aggregate report URI (`mailto:`)
`ruf`	Forensic report URI (`mailto:`)
`fo`	Failure options: `0` both fail · `1` either fails · `d` DKIM · `s` SPF
`rf`	Report format: `afrf` (default)
`ri`	Reporting interval in seconds (default 86400)

Signature Tags (Mail Header)

Tag	Purpose
`v`	Version — must be `1`
`a`	Algorithm: `rsa-sha256` · `ed25519-sha256`
`d`	Signing domain
`s`	Selector (DNS lookup: `s._domainkey.d`)
`h`	Signed headers list
`b`	Signature value (base64)
`bh`	Body hash
`c`	Canonicalization: `simple` · `relaxed`
`t`	Signature timestamp
`x`	Signature expiry timestamp
`l`	Body length limit

DNS Key Record Tags

Tag	Purpose
`v`	Version — `DKIM1`
`k`	Key type: `rsa` · `ed25519`
`p`	Public key (base64); empty = revoked
`t`	Flags: `y` test mode · `s` strict
`h`	Acceptable hash algorithms
`s`	Service type: `email` · `*`
`n`	Human-readable notes

Also check for signal.org

DNS Diagnostic

All records, health checks & propagation

WHOIS / RDAP

Registrar, expiry & ownership details

DNSSEC Validation

Chain of trust & signature verification

TLS Certificate

CT log history, SANs & cert details

DNS Propagation

Live check across global resolvers