§ email-dns

email-dns.

A stranger's-eye view of how a domain is configured to send and receive mail. Every record that affects deliverability and anti-spoofing is checked in parallel and graded against current best practice.

checks

MX (RFC 5321), SPF (RFC 7208), DMARC (RFC 7489), MTA-STS (RFC 8461), TLS-RPT (RFC 8460), and DKIM (RFC 6376) at 11 common selectors — DNS has no way to enumerate selectors, so DKIM coverage is a probe, not a list.

grading

opinionated. weighted toward RFC 7489's reject policy as the gold standard. soft warnings for common but suboptimal choices (~all on SPF, p=none on DMARC, missing MTA-STS).

caveats

SPF includes (e.g. include:_spf.google.com) are not recursively resolved; the grade is on the published string only. DKIM absence here doesn't prove the domain doesn't sign — it may use an unusual selector name.

upstream: dns.google (DoH).