DNS Health Score

SpoofWard continuously monitors your DNS records to ensure proper configuration of email authentication standards. The DNS Health Score summarizes the overall health of your domain's email security infrastructure.

Understanding the Score

The DNS Health Score (0-100) reflects whether your critical DNS records are:

• Correctly formatted - Proper syntax according to RFC standards
• Properly configured - Aligned with your email infrastructure
• Complete - All required fields present
• Validated - Passing technical validation checks
• Monitored - Change detection enabled

A score of 95+ is excellent. Below 80 indicates problems that could affect email delivery or security.

Checked Records

SpoofWard validates these DNS records for your domain:

1. DMARC Record (Critical)

Location: _dmarc.yourdomain.com

What it does: Specifies your domain's email authentication policy and where to send reports.

Required fields:

• v=DMARC1 - Version (always DMARC1)
• p= - Policy (none, quarantine, or reject)
• rua= - Aggregate report address (should be [email protected] for SpoofWard users)
• ruf= - Forensic report address (recommended)

Example:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Common issues:

• Report addresses not pointing to [email protected] (SpoofWard can't receive reports)
• Policy set to p=reject without proper SPF/DKIM alignment
• Missing rua field (no reports being sent anywhere)

2. SPF Record (Highly Important)

Location: Root of your domain (e.g., yourdomain.com)

What it does: Specifies which IP addresses and mail servers can send email from your domain.

Required fields:

• v=spf1 - Version (always spf1)
• Include/IP entries - Mail servers you authorize
• ~all or -all - Soft fail or hard reject for others

Example:

v=spf1 include:sendgrid.net include:_spf.google.com ~all

SpoofWard checks for:

• Correct version (v=spf1)
• Valid syntax (proper include: and ip4: statements)
• DNS lookup count (must be under 10 to avoid hitting SPF limits)
• Alignment with DMARC policy (if p=reject, -all vs ~all matters)

Common issues:

• Too many DNS lookups (complex SPF records with many includes)
• Incorrect syntax or typos
• Using +all (too permissive)
• Missing authorized senders (legitimate email fails)

3. DKIM Records (Highly Important)

Location: Multiple selectors, typically selector1._domainkey.yourdomain.com

What it does: Contains public keys that verify email signatures sent from your domain.

Required fields:

• v=DKIM1 - Version (always DKIM1)
• k=rsa - Key type (always rsa)
• p= - Public key (long base64 string)

Example:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa...

SpoofWard checks for:

• Valid DKIM key format and length
• Correct version and key type
• Key size (typically 2048-bit RSA)
• Multiple selectors (indicates rotation/backup keys)

Common issues:

• Incomplete or truncated keys
• Key type mismatch (k= value incorrect)
• Old or removed keys still published
• Selectors that aren't actually used

4. MTA-STS Record (Optional but Recommended)

Location: _mta-sts.yourdomain.com

What it does: Tells receiving mail servers to require TLS encryption when connecting to send email to your domain.

Required fields:

• v=STSv1 - Version
• id= - Policy ID (timestamp-based)

Example:

v=STSv1; id=2024010101;

Also requires a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

SpoofWard checks for:

• Valid version
• Policy ID format
• Corresponding policy file accessibility and validity
• Policy expiration (should be 1 year)

Common issues:

• Missing policy file
• Mismatched policy versions
• Expired policy
• HTTPS certificate issues on mta-sts subdomain

5. BIMI Record (Optional)

Location: default._bimi.yourdomain.com

What it does: Links your logo/brand image for display in email clients that support BIMI.

Required fields:

• v=BIMI1 - Version
• l= - Logo URL (points to SVG image)
• a= - VMC issuer authorization (optional, for certificate-based BIMI)

Example:

v=BIMI1; l=https://example.com/logo.svg;

SpoofWard checks for:

• Valid version and format
• Logo URL accessibility and SVG validity
• VMC certificate validity (if using certificate BIMI)
• DMARC policy enforcement (p=quarantine or p=reject required)

Common issues:

• Logo URL returning 404
• Non-SVG image format
• DMARC policy not strict enough for BIMI display

Detailed Health Report

Click "View Full DNS Health" to see:

Record Status

For each record type:

• Status - Pass (green), Warning (yellow), or Fail (red)
• Last Checked - When we last validated
• Details - Specific validation results
• Recommendations - How to fix any issues

Change History

Track when DNS records were modified:

• Date Changed - When we detected the change
• Record Type - Which record was modified
• Previous Value - What it was before
• Current Value - What it is now

This helps identify accidental changes or troubleshoot problems after updates.

Validation Details

Expand each record to see:

• Full record content
• Field-by-field validation
• Parsing errors or warnings
• Alignment with DMARC policy
• Comparison against best practices

Improving Your Score

Fix Critical Issues First

1. DMARC Record - Ensure it exists and points to [email protected]
2. SPF Record - Validate syntax and ensure it includes all authorized senders
3. DKIM Records - Verify keys are published for all mail servers

Address Warnings

Yellow warnings won't break email but should be addressed:

• DNS Lookup Count (SPF) - If approaching 10 lookups, flatten/optimize your SPF
• Key Rotation - Removed DKIM selectors should be cleaned up
• Policy Updates - MTA-STS and BIMI policies nearing expiration should be renewed

Strengthen Your Infrastructure

Once basics are solid:

1. Enable MTA-STS - Require TLS for inbound connections
2. Set up BIMI - Display your logo in supported email clients
3. Plan Enforcement - Transition from p=none to p=quarantine to p=reject
4. Monitor Changes - Enable alerts when DNS records are modified

DNS Record Editing Tools

SpoofWard provides tools to help you create correctly formatted records:

• DMARC Generator - Create and validate DMARC records
• SPF Builder - Build SPF records visually with step-by-step guidance
• DKIM Checker - Validate your DKIM keys
• MTA-STS Wizard - Set up MTA-STS policies
• BIMI Wizard - Configure BIMI with logo/certificate validation

Hosted DNS (Pro Plan+)

Managing DNS manually across multiple providers is error-prone. SpoofWard's Hosted DNS service (Pro, Business, Enterprise plans) lets you:

• Delegate your domain to SpoofWard's nameservers
• Manage all records in one place
• Get automatic DMARC/SPF/DKIM/MTA-STS configuration
• Enable DNS change alerts
• Simplify domain transitions

Alerts

Enable DNS health alerts to be notified when:

• Records fail validation
• Score drops below a threshold
• DNS records are modified unexpectedly
• Policies are approaching expiration

Configure alert destinations in Organization Settings.

FAQ

Why did my health score drop after updating records?

SpoofWard re-validates your DNS records after changes. If new records have issues, the score reflects that. Check the detailed report to see what changed.

Can subdomains have different scores?

Yes. Each domain (root and subdomains) has independent DNS records and health scores. Subdomains inherit some settings from the root domain's DMARC policy.

How often are records checked?

SpoofWard checks your DNS records daily. We monitor for changes in real-time and validate syntax immediately.

What if my DNS provider doesn't support TXT records?

All modern DNS providers support TXT records. Even domain registrars' basic DNS management includes this. Contact your provider's support if needed.

Related Documentation

• DMARC Generator - Create valid DMARC records
• SPF Builder - Build optimized SPF records
• Improving Your Score - Step-by-step remediation