Email Security Checker Guide
Use this guide to understand what the Email Security Checker is validating, how SPF, DKIM, and DMARC findings relate to each other, and how to tighten email authentication without interrupting legitimate senders.
Overview
Email authentication works best when SPF, DKIM, and DMARC reinforce each other. The checker is trying to highlight where missing records, weak policies, or operational drift leave a domain easier to spoof or harder to trust.
Records to review together
- SPF: Authorize only the senders you truly use and keep lookup complexity under control.
- DKIM: Make sure signatures are present, selectors are correct, and keys are not stale or truncated.
- DMARC: Use policy progression to move from monitoring toward stronger spoofing protection safely.
Email Authentication Signals and Meaning
| Control | Healthy state | Common weakness |
|---|---|---|
| SPF | Accurate sending-source coverage | Too many lookups, missing senders, or outdated includes. |
| DKIM | Signing enabled with valid selectors | Selector mismatch, stale keys, or providers not signing consistently. |
| DMARC | Policy and reporting aligned with real mail flow | Permanent p=none or no reporting visibility. |
| Operational ownership | Clear owner for changes and reports | DNS records drift because no one owns the mail stack end to end. |
Practical DNS Examples
v=spf1 include:_spf.google.com include:sendgrid.net ~allv=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@example.comRecommended Remediation Flow
- Inventory the real sending services List mail providers, transactional senders, and marketing tools before editing DNS.
- Stabilize SPF and DKIM first Confirm the real senders are authorized and signing before tightening DMARC policy.
- Move DMARC progressively Use monitoring first, then quarantine or reject once legitimate mail is behaving as expected.
- Review reports and retest Use DMARC reporting and repeat the check after each staged change.
Troubleshooting Common Issues
SPF fails with too many DNS lookups
This usually happens when a domain keeps adding providers without cleaning up old includes.
- Remove providers you no longer send from.
- Flatten carefully only if you understand the operational tradeoff.
- Review whether some IPs or includes can be simplified.
Legitimate mail fails DMARC after policy tightening
A sending service is often missing from SPF or DKIM, or forwarding behavior is changing alignment.
- Review actual sending sources before reverting the whole policy.
- Confirm the provider is signing with the correct selector and domain alignment.
- Use reporting to isolate the affected flow before broadening the policy again.
Validation Checklist
Post-fix validation
- Confirm SPF, DKIM, and DMARC reflect the real mail stack currently in use.
- Verify selectors, reporting addresses, and policy values are present on the public DNS records.
- Review DMARC reports after tightening policy to catch legitimate sender issues early.
- Run the Email Security Checker again and compare the result against the intended email-auth baseline.
FAQ
Should DMARC start at reject?
Usually no. Monitoring first gives you time to catch legitimate sender drift.
- Start with p=none if visibility is still low.
- Move to quarantine or reject only after reviewing reports.
- Treat policy progression as an operational rollout, not just a DNS edit.
Is SPF alone enough?
No. SPF helps, but DKIM and DMARC are what turn sender authorization into a stronger anti-spoofing posture.
- Use SPF, DKIM, and DMARC together.
- Review third-party sender ownership regularly.
- Retest after adding or removing mail providers.