Step 1
Enter your domain
Type any domain you control - just the bare hostname like example.com, no protocol or path.
One-click letter grade
Free Email Authentication Scorecard
An email authentication scorecard checks your domain's SPF, DKIM, DMARC, BIMI, MX, and TLS-RPT records and grades them on a single A+ to F scale. Enter a domain and you get an instant report card with specific fixes for every gap.
Pair this with the SPF Record Checker, DKIM Checker, and DMARC Record Generator to drill into individual records. Want authentication results captured on every inbound email automatically? MailParse extracts SPF, DKIM, and DMARC results from each message and returns them as JSON.
How the scorecard works
Step 2
Run the scorecard
The tool runs DNS lookups for SPF, DKIM (across 19 common selectors), DMARC, BIMI, MX, and TLS-RPT records in parallel.
Step 3
Review your letter grade
You get an A+ to F grade with a per-check breakdown showing exactly which records exist, which are missing, and which are weak.
Step 4
Apply the fixes
Each failing or warning check includes a specific remediation step and a link to the right tool to verify the fix.
Scoring rubric
The scorecard awards 100 points across six categories. Higher weightings reflect what receivers actually act on.
| Category | Max points | What we check |
|---|---|---|
| SPF | 20 | Record exists, valid syntax, hard-fail (-all) vs soft (~all), under 10 lookups, no +all. |
| DKIM | 20 | At least one of 19 common selectors resolves with a valid public key. Multiple selectors = key rotation. |
| DMARC | 25 | Policy strength (reject > quarantine > none), pct=100, rua reporting, subdomain policy. |
| BIMI | 15 | Record at default._bimi, HTTPS l= logo, a= VMC certificate. |
| MX | 10 | MX records exist and at least 2 hosts for redundancy. |
| TLS-RPT | 10 | TLS-RPT TXT record at _smtp._tls with rua= reporting destination. |
Frequently asked questions
What is an email authentication scorecard?
An email authentication scorecard checks your domain's SPF, DKIM, DMARC, BIMI, MX, and TLS-RPT DNS records and grades them on a single A+ to F scale. It tells you, in one number, how protected your domain is against spoofing and how likely your mail is to land in the inbox - and it lists specific fixes for each gap.
How is the grade calculated?
The total is out of 100 points: SPF 20, DKIM 20, DMARC 25, BIMI 15, MX 10, and TLS-RPT 10. Each check awards partial credit based on policy strength (for example, p=reject is worth more than p=quarantine, and -all is worth more than ~all). 95-100 = A+, 90-94 = A, 85-89 = A-, 80-84 = B+, 75-79 = B, 70-74 = B-, 65-69 = C+, 60-64 = C, 55-59 = C-, 50-54 = D, below 50 = F.
Why does my domain have a low DMARC score?
DMARC scores depend on policy strength (p=reject is the maximum), pct=100, an rua reporting destination, and a strict subdomain policy (sp=reject). A domain at p=none, even with everything else right, will score in the C range for DMARC. Most domains start at p=none for monitoring, then move to p=quarantine, then p=reject.
What's the difference between SPF, DKIM, and DMARC?
SPF lists which servers are allowed to send mail for your domain. DKIM cryptographically signs outgoing messages so receivers can verify they were not tampered with. DMARC ties the two together - it tells receivers what to do when SPF or DKIM fails, and where to send reports. You need all three for strong protection.
How can I improve my email authentication grade?
Start with the highest-impact gaps in the scorecard. Typical fixes: publish an SPF record ending in -all, configure DKIM signing with at least one selector, publish a DMARC record at p=quarantine or p=reject with rua reporting, add at least one secondary MX host for redundancy, and add TLS-RPT for delivery diagnostics. BIMI is optional but unlocks brand logos in Gmail and Yahoo.
Is BIMI required?
No. BIMI is optional and only impacts brand logo display in supporting inboxes (Gmail, Yahoo, Apple Mail, Fastmail). It does not affect deliverability. The scorecard treats a missing BIMI record as a warning, not a failure - you can still earn an A grade without it, but it caps you below A+.
Related tools
SPF Record Checker
Validate SPF syntax, lookup count, and dangerous mechanisms like +all.
DKIM Checker
Look up DKIM records by selector, parse public keys, and verify key strength.
DMARC Record Generator
Build a compliant DMARC record with the policy and reporting tags you need.
BIMI Record Checker
Validate your BIMI record, logo URL, and VMC certificate.
MX Record Lookup
Inspect a domain's MX records, priorities, and resolved IPs.
Email Header Analyzer
Decode raw email headers and trace the message's authentication path.