What is a domain email health check?
A domain email health check inspects, in a single pass, every DNS-level control that governs whether your mail is accepted, authenticated, and trusted. This tool queries seven layers for a domain — MX records, SPF, DKIM, DMARC, the A record, MTA-STS, and BIMI — and reports the status of each alongside a weighted overall score.
The score is not a flat average. Foundational controls carry more weight — working MX and SPF matter more than a nice-to-have BIMI logo — so the number reflects real-world deliverability impact. Think of it as a pre-flight checklist: it tells you at a glance what is solid, what is missing, and what to fix first before you scale your sending.
Why run a domain email health check?
1See the whole picture at once
Instead of running seven separate lookups, get every authentication and routing layer in one prioritised view
2Fix the highest-impact gaps first
A weighted score points you at the controls that move deliverability most, not just the easy wins
3Audit before a big send
Confirm the domain is production-ready before a launch, migration, or warmup ramp-up
4Track hardening over time
Re-run after each change to confirm SPF, DKIM, DMARC, and MTA-STS are all pulling their weight
How the health check works — step by step
Enter the domain you send mail from — the root domain, no protocol or path needed.
The tool queries MX, SPF, DKIM, DMARC, A, MTA-STS, and BIMI in parallel across public DNS.
For DKIM it probes the most common selectors so a valid key is found without you supplying one.
Each layer is scored by importance and the results are combined into a weighted 0–100 health score.
You get an overall verdict — healthy, needs attention, or critical — plus a per-check pass/fail breakdown.
Common domain health gaps and fixes
No DMARC policy
Without DMARC, SPF and DKIM are not enforced end-to-end — publish at least p=none, then tighten
DKIM not found
If no common selector resolves, signing may be off or using a custom selector — confirm your ESP’s setup
SPF too permissive or missing
A missing or +all SPF record invites spoofing — list only your real senders and end with -all or ~all
Missing MX records
No valid MX means the domain cannot reliably receive mail or bounce reports — publish your provider’s records
Frequently Asked Questions
It inspects seven DNS-level layers for your domain in one scan: MX records (mail routing), SPF, DKIM, and DMARC (authentication), the A record (address resolution), MTA-STS (transport encryption), and BIMI (brand logo). Each is reported as pass, missing, or unknown, and combined into a single weighted deliverability score.
The score is weighted by importance rather than a flat average. Foundational controls — MX, SPF, DKIM, and DMARC — contribute the most, while newer, optional layers like MTA-STS and BIMI add smaller amounts. This means the number reflects real deliverability impact: a domain missing DMARC scores far lower than one merely missing a BIMI logo.
No. The health check automatically probes the most common DKIM selectors used by major email providers, so in most cases it finds your key without any input. If your domain uses an uncommon custom selector, the DKIM layer may show as not found even though signing works — check it individually with the DKIM checker in that case.
A domain in the healthy range has working MX, a valid SPF record, DKIM signing, and an enforced DMARC policy — the core of trusted sending. Scores in the middle usually mean authentication is incomplete (often DMARC at p=none or missing DKIM), and low scores point to foundational gaps that will actively hurt deliverability until fixed.
Run one before any major sending event — a product launch, a domain migration, or the start of a warmup ramp — and again after any DNS change to your mail setup. Periodic checks also catch silent regressions, such as a vendor rotating a DKIM key or a policy file going offline, before they affect your delivery.