Improving Your Security Score

Your SpoofWard security score reflects how well your email authentication is configured. This guide provides practical steps to improve your DMARC compliance score and overall email security posture.

Understanding Your Score

Your security score (0-100) is based on:

• DMARC Pass Rate - % of email passing authentication (40% weight)
• SPF Configuration - Valid SPF record with proper senders (20% weight)
• DKIM Configuration - Active DKIM keys published correctly (20% weight)
• DMARC Policy - Enforcement level (p=none/quarantine/reject) (15% weight)
• DNS Health - Overall DNS record validation (5% weight)

A score above 85 is good; 95+ is excellent.

Step-by-Step Improvement Plan

Step 1: Assess Current State (Week 1)

Start by understanding where you are:

1. Open SpoofWard Dashboard → Select your domain
2. Note your current score in the overview
3. Review breakdown - Which component is lowest?
4. Check DNS Health - Review any warnings or failures
5. List your senders - Go to Email Sources, screenshot the list

Step 2: Identify Failing Senders (Week 1)

Review your DMARC reports to find authentication failures:

1. Go to DMARC → Reports
2. Look at the last 7 days
3. Identify senders with high failure rate
4. Check their status - Authorized or unknown?
5. Research each one - Is it legitimate?

Create a spreadsheet:

| Service | Volume | Pass Rate | Status | Next Action |

|---------|--------|-----------|--------|-------------|

| SendGrid | 5,000 | 95% | Authorized | Monitor |

| Unknown IP | 200 | 10% | Unknown | Investigate |

| Office 365 | 50,000 | 100% | Authorized | Monitor |

Step 3: Fix SPF Configuration (Week 1-2)

SPF (Sender Policy Framework) is the foundation:

Current situation assessment:

1. DNS → Records - Look at your current SPF record
2. Check validity - Does it start with v=spf1?
3. Count DNS lookups - Use the SPF Flattener tool
4. Identify includes - Which mail services are authorized?

To improve:

1. Add discovered services - For each authorized sender, add their include:

   v=spf1 include:sendgrid.net include:mailchimp.com ~all

1. Remove old services - Any includes for services you no longer use?
2. Use SPF Builder - Go to Tools → SPF Builder:

• Load your current record
• Add each authorized service
• Review DNS lookup count (max 10)
• Export the optimized record

1. Test before publishing:

• Use SPF Checker tool
• Verify no syntax errors
• Confirm lookup count is acceptable

1. Update DNS - Publish the new record in your DNS provider
2. Wait for propagation - 24-48 hours
3. Verify - Use SPF Checker again to confirm

Step 4: Configure DKIM Keys (Week 2-3)

DKIM (DomainKeys Identified Mail) adds cryptographic signatures:

Assessment:

1. DNS → Records - Check DKIM status
2. DKIM Checker - Test your keys:

• Go to Tools → DKIM Checker
• Enter each selector (default, selector1, etc.)
• Verify keys are valid

1. Identify gaps - Which mail servers lack DKIM?

To improve:

1. For known services (Office 365, Google Workspace, etc.):

• Follow their DKIM setup guides
• Generate or provision keys
• Add to DNS with correct selector
• Test with DKIM Checker

1. For unknown senders:

• Contact them for DKIM configuration
• Request their DKIM selector and public key
• Publish in DNS
• Test

1. For internal mail servers:

• Configure DKIM signing
• Generate or obtain private key
• Publish public key in DNS
• Ensure From header domain matches

1. Verify configuration:

• Send test email from each sender
• Check DMARC reports 24 hours later
• Confirm DKIM now passes

Step 5: Update DMARC Record (Week 3)

Ensure your DMARC record is properly configured:

Current record:

Go to DNS → Records and verify your DMARC record exists at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Improve it:

1. Reports pointing to SpoofWard? - Ensure rua=mailto:[email protected]
2. Forensic reports enabled? - ruf=mailto:[email protected] recommended
3. Failure reporting - fo=1 sends forensic reports on any failure
4. DKIM alignment - Consider adkim=r (relaxed, default) or adkim=s (strict)
5. SPF alignment - Consider aspf=r (relaxed, default) or aspf=s (strict)

Use DMARC Generator (Tools → DMARC Generator) to validate:

1. Paste your record
2. Tool validates syntax
3. Shows interpretation of all fields
4. Highlights any issues
5. Suggests improvements

Step 6: Address DNS Health Warnings (Week 3-4)

Resolve any DNS issues:

1. Go to DNS → Health Report
2. Review warnings - Yellow or red items
3. For each issue:

• Read the description
• Follow the recommendation
• Fix in your DNS provider
• Wait for propagation
• Re-check

Common fixes:

• SPF syntax error - Copy exact SPF record from SPF Builder
• DKIM key incomplete - Ensure full public key is published
• MTA-STS missing - Use MTA-STS Wizard to set up
• BIMI record invalid - Use BIMI Wizard to configure

Step 7: Authorize and Block Senders (Week 4)

Classify your senders:

1. Go to Email Sources
2. For each sender:

If legitimate:

• Click → Authorize
• Removes from "investigate" list
• Add note: "Our marketing platform" or similar

If suspicious:

• Click → Block
• Flags as unauthenticated
• Add note: "Blocked due to suspicious activity"

If unsure:

• Click → Investigate
• Research the IP and organization
• Decide authorize/block based on findings

Score Improvement Timeline

Week 1: Baseline

• Assess current score
• Identify low-performing components
• Create action plan

Week 2: SPF Configuration

• Review and validate SPF
• Add discovered services
• Test and deploy
• Expected improvement: +10-15 points

Week 3: DKIM Configuration

• Set up DKIM for all senders
• Publish keys
• Test
• Expected improvement: +15-20 points

Week 4: Cleanup & Validation

• Update DMARC record if needed
• Fix DNS health issues
• Authorize/block senders
• Expected improvement: +5-10 points

Total potential improvement: 40-50 points

Targeting Score Improvements

From 60→75 (Critical)

Focus: SPF and DKIM basics

• Ensure DMARC record exists and is valid
• Add major senders to SPF
• Publish DKIM keys for main mail servers
• Fix any DNS validation errors

Estimated time: 1-2 weeks

From 75→85 (Important)

Focus: All senders configured

• Identify and configure ALL senders
• Ensure DKIM alignment for all services
• Optimize SPF lookup count
• Enable proper failure reporting

Estimated time: 2-3 weeks

From 85→95 (Excellence)

Focus: Enforcement readiness

• Verify 95%+ pass rate
• Set up monitoring and alerts
• Plan enforcement roadmap
• Implement threat intelligence

Estimated time: 3-4 weeks

From 95→100 (Perfect)

Focus: Optimization

• Set up MTA-STS and BIMI
• Implement advanced threat detection
• Regular monitoring and updates
• Maintain enforcement status

Estimated time: Ongoing

Using Improvement Tools

SPF Flattener

If you have too many SPF includes:

1. Tools → SPF Flattener
2. Paste your SPF record
3. Tool expands all includes to IP addresses
4. Shows total DNS lookups
5. Can generate flattened record

When to use: Only if exceeding 10 DNS lookups

Policy Assistant

For enforcement readiness:

1. Tools → Enforcement Wizard (Pro+ plans)
2. Guides you to p=quarantine when ready
3. Then to p=reject when appropriate
4. Handles DNS updates automatically

DNS Checker

Validate all DNS records:

1. Tools → DNS Checker
2. Enter your domain
3. Scans all email auth records
4. Shows status and issues
5. Provides fix recommendations

Monitoring Progress

Weekly Check

1. Dashboard - Review your score (should trend upward)
2. DMARC Reports - Check pass rate trend
3. Email Sources - Any new senders to configure?
4. DNS Health - Any new warnings?

Monthly Review

1. Detailed Report - Generate full report from SpoofWard
2. Stakeholder Update - Share progress with team
3. Identify Blockers - What's preventing further improvement?
4. Plan Next Steps - Month 2-3 goals

Before Enforcement

Before moving to p=quarantine:

1. Confirm 95%+ pass rate for 2+ weeks
2. No critical DNS issues (score above 85)
3. All senders identified and configured
4. Team approval - Get management sign-off
5. Backup plan - Know how to revert if needed

Common Improvement Scenarios

Scenario: Email from Mailchimp failing

Problem: You use Mailchimp but emails fail DMARC

Solution:

1. Add to SPF: include:mailchimp.com
2. Set up Mailchimp DKIM (in Mailchimp settings)
3. Add DKIM record to DNS
4. Wait 48 hours
5. Verify in DMARC reports
6. Score should improve

Scenario: Internal mail server failing

Problem: Your company's mail server sends from your domain but fails authentication

Solution:

1. Configure server to include DKIM signing
2. Add its IP to SPF: ip4:203.0.113.5
3. Publish DKIM key
4. Test with internal test email
5. Verify in DMARC reports
6. Score improves

Scenario: Too many SPF includes

Problem: Your SPF record hits DNS lookup limit (>10 lookups)

Solution:

1. Remove unused services from SPF
2. Consolidate services (use vendor aggregates if available)
3. Use SPF Flattener for critical includes
4. Consider moving to Hosted DNS (Pro+ plans)

Advanced Improvements (Pro+ Plans)

Threat Intelligence

1. Go to DMARC → Threat Intelligence
2. See flagged IPs and threats
3. Block malicious senders
4. Create alert rules for threats

BIMI Setup

1. Go to Tools → BIMI Wizard
2. Create or upload your logo
3. Generate BIMI record
4. Publish in DNS
5. Logo displays in supported email clients

MTA-STS Configuration

1. Go to Tools → MTA-STS Wizard
2. Create policy file
3. Configure HTTPS
4. Publish record
5. Require TLS for inbound email

Benchmarks

Industry Average: 72 score

• Most organizations are in p=none
• Many have incomplete SPF/DKIM

Good Performance: 85+ score

• Proper SPF/DKIM for major senders
• Planning enforcement

Excellent Performance: 95+ score

• Complete sender configuration
• Likely in enforcement (p=quarantine or p=reject)
• Advanced features enabled

Your target: 95+ to reach enforcement level

Related Documentation

• DNS Health Score - DNS record validation
• SPF Builder - Build optimized SPF
• DMARC Enforcement Roadmap - Policy progression guide
• Email Source Discovery - Identify senders