Skip to content

Full Email Security Audit (Policy, Hygiene, Compliance)

Comprehensive audit explaining MXScan's 0–100 scoring system and the exact security controls we inspect.

Comprehensive Audit Scope

Our audit covers all critical email security and deliverability factors.

Authentication

  • • SPF records & syntax
  • • DKIM selectors & keys
  • • DMARC policy & alignment
  • • BIMI configuration

Transport Security

  • • MTA-STS policies
  • • TLS-RPT configuration
  • • SMTP TLS support
  • • Certificate validation

Infrastructure

  • • MX record configuration
  • • DNS propagation status
  • • Reverse DNS setup
  • • IP reputation

Reputation

  • • Blacklist monitoring
  • • Sender reputation
  • • Domain reputation
  • • Historical data

MXScan Scoring Model (0-100)

Score Components & Weights

Email Authentication
SPF, DKIM, DMARC, BIMI
40%
Infrastructure Security
MTA-STS, TLS-RPT, SMTP TLS
25%
DNS Configuration
MX, rDNS, propagation
20%
Reputation Signals
Blacklists, sender score
15%
0-49
Critical Issues
Major security gaps
50-69
Needs Work
Several improvements needed
70-89
Good
Minor optimizations
90-100
Excellent
Best practices followed

Sample Audit Report

78

Overall Security Score

Good configuration with room for improvement

✅ Strengths

SPF record properly configured
DKIM signatures active
No blacklist entries found
SMTP TLS properly configured

⚠️ Areas for Improvement

DMARC policy set to p=none
MTA-STS not configured
TLS-RPT missing
BIMI not implemented

Priority Action Items

1

Implement MTA-STS

Add MTA-STS policy to enforce TLS encryption (+15 points)

2

Upgrade DMARC Policy

Change from p=none to p=quarantine (+10 points)

3

Add TLS-RPT

Enable TLS reporting for monitoring (+5 points)

Implementation Roadmap

Step-by-step guide to improve your email security score.

1

Foundation (Weeks 1-2)

Establish basic email authentication

  • • Configure SPF records
  • • Set up DKIM signing
  • • Implement DMARC with p=none
2

Enhancement (Weeks 3-4)

Add transport security measures

  • • Deploy MTA-STS policies
  • • Configure TLS-RPT reporting
  • • Upgrade SMTP TLS configuration
3

Optimization (Weeks 5-6)

Fine-tune and monitor

  • • Upgrade DMARC to p=quarantine/reject
  • • Implement BIMI for brand visibility
  • • Set up continuous monitoring

Individual Security Checks

Deep dive into specific email security components.

DMARC Checker
SPF Checker
DKIM Lookup
MTA-STS Checker
TLS-RPT Generator
BIMI Checker
SMTP TLS Checker
Blacklist Check

Frequently Asked Questions

What moves the score most?

Email authentication (SPF, DKIM, DMARC) has the highest impact on scores, accounting for 40% of the total. Missing or misconfigured authentication can drop scores by 30-50 points.

How often should I audit?

Monthly audits for active domains, quarterly for stable setups. Run immediate audits after infrastructure changes, deliverability issues, or security incidents.

Can I get a perfect 100 score?

Yes, but it requires implementing all best practices: strong authentication, transport security, proper DNS configuration, and maintaining good reputation. Most domains score 85-95 with proper configuration.