Checks Reference

Every scan runs all checks below against the target domain. Findings generate violations, which trigger alerts based on your routing rules.

DMARC

• CRITICAL
  dmarc_missing

  No DMARC record found at _dmarc.{domain}. Domain is unprotected against spoofing.
• CRITICAL
  dmarc_invalid_syntax

  Record found but cannot be parsed — missing or invalid p= tag.
• HIGH
  dmarc_policy_none

  p=none — monitoring mode only, no enforcement. Spoofed mail is delivered.
• HIGH
  dmarc_pct_lt_100

  pct= value below 100 — policy applies to only a fraction of mail.
• HIGH
  dmarc_rua_missing

  No rua= aggregate report address. Failures are invisible.

SPF

• CRITICAL
  spf_plus_all

  +all — any server on the internet passes SPF. Functionally an open relay.
• HIGH
  spf_missing

  No SPF record found. Any server can send as this domain.
• HIGH
  spf_not_hardfail

  Record does not end in -all. Non-matching senders are not rejected.
• HIGH
  spf_qall

  ?all — neutral result for non-matching senders. Equivalent to no policy.
• HIGH
  spf_lookup_overflow

  More than 10 DNS lookups required. Record will fail validation per RFC 7208.
• HIGH
  spf_vendor_sprawl_root

  More than 3 include: directives at root level. Approaching limits, hard to audit.
• MODERATE
  spf_near_limit

  8–10 DNS lookups. Approaching the 10-lookup limit.
• MODERATE
  spf_nested_complex

  Deeply nested includes make the record difficult to audit or modify safely.

DKIM

• HIGH
  dkim_missing

  No valid DKIM record found across all probed selectors. Without DKIM, DMARC alignment is harder to achieve.

MTA-STS

• HIGH
  mta_sts_missing

  No MTA-STS TXT record at _mta-sts.{domain}. Inbound transport encryption is not enforced.
• HIGH
  mta_sts_not_enforce

  Policy file found but mode: is not enforce. Transport encryption is not being enforced.

TLS-RPT

• HIGH
  tls_rpt_missing

  No TLS reporting record at _smtp._tls.{domain}. Transport failures are not being reported.

SMTP & TLS

• CRITICAL
  starttls_fail

  Primary MX does not advertise or successfully negotiate STARTTLS. Mail is transmitted in plaintext.
• CRITICAL
  smtp_handshake_fail

  TCP connection to primary MX failed or EHLO was rejected.
• CRITICAL
  mx_missing

  No MX records found. Domain cannot receive email.
• CRITICAL
  mx_unreachable

  MX records exist but all hosts are unreachable on port 25.
• CRITICAL
  cert_expired

  TLS certificate on the MX host has expired.
• HIGH
  starttls_fail_secondary

  Secondary MX does not support STARTTLS. Fallback delivery is unencrypted.
• HIGH
  tls_lt_12

  MX host accepts connections below TLS 1.2.
• HIGH
  cert_expires_soon

  TLS certificate expires within 30 days.
• MODERATE
  weak_cipher_present

  MX host advertises deprecated cipher suites alongside modern ones.

BIMI

• MODERATE
  bimi_missing

  No BIMI record at default._bimi.{domain}. Brand logo won't display in supporting mail clients.