Email Security

150 points total

Assesses inbound mail posture and authentication — gated by MX: most checks run only when a non-null MX record exists (the domain is treated as receiving mail). A null MX (RFC 7505, priority 0, hostname “.”) explicitly declares no inbound mail; those domains skip inbound policy checks. Bare absence of any MX earns partial credit on the MX hygiene check (not a full pass) until you publish a null MX or real MXs.

Checks

Check	Weight	What it measures
MX Presence & Hygiene `email_mx_presence_and_hygiene`	20 pts	Evaluates whether MX records declare inbound mail clearly: non-null MX for receiving mail, null MX when the domain does not receive mail, or no MX records (partial credit until an explicit null MX or real MXs are published).
SPF Policy Strength `email_spf_policy_strength`	25 pts	Checks whether the SPF record uses a strict qualifier (-all) versus permissive (~all or ?all). Only scored when the domain has a non-null MX.
DMARC Policy Enforcement `email_dmarc_policy_enforcement`	30 pts	Evaluates DMARC policy level and enforcement. Only scored when the domain has a non-null MX.
DMARC Subdomain Policy (sp=) `email_dmarc_subdomain_policy`	15 pts	Evaluates sp= (subdomain policy) alignment with a strong inbound posture.
DMARC Reporting (rua) `email_dmarc_reporting`	10 pts	Checks for aggregate reporting (rua=) on the DMARC record.
MTA-STS DNS (SMTP TLS) `email_mta_sts`	15 pts	Checks _mta-sts.<domain> for an MTA-STS TXT record (v=STSv1 and id=).
TLS-RPT `email_tls_rpt`	10 pts	Checks _smtp._tls.<domain> for TLS reporting (v=TLSRPTv1 and rua=).
SPF DNS Lookup Budget `email_spf_lookup_count`	10 pts	Estimates SPF DNS lookups (include/redirect/a/mx/ptr/exists) against RFC 7208 limits.
DKIM Key Validation (selectors) `email_dkim_validation`	15 pts	Infers likely DKIM selector names from MX/SPF where possible, then probes a capped list (plus common fallbacks) for a non-empty published p= key.
DKIM Selector Discovery `email_dkim_selector_discovery`	info	Probes common DKIM selectors for any v=DKIM1 record (informational; incomplete coverage).

Pass / Warn / Fail Logic

For many checks, earned points follow the verdict: full weight on pass, partial credit on some checks for warn, and none on fail. Where it matters, we spell out the points below.

MX Presence & Hygiene

Pass if any non-null MX exists (domain receives mail) or only a null MX (explicit no inbound mail). Warn with ~77.5% credit if there are zero MX records (encourages RFC 7505 null MX). Other email checks are not applicable unless non-null MX exists.

Points (this check)

Scored on its own 20-point weight. Non-null MX and null-MX-only pass at full weight. Bare no-MX earns ~15.5/20 (77.5%) to encourage an explicit declaration. When there is no non-null MX, category points_possible is 20 (hygiene only).

SPF Policy Strength

Pass if -all; warn if ~all; fail if +all or missing. Not applicable if only null MX or no MX (no inbound mail path).

DMARC Policy Enforcement

Pass if p=reject or p=quarantine; warn if p=none; fail if no DMARC. Not applicable without non-null MX.

DMARC Subdomain Policy (sp=)

Pass if sp= or inherited root policy is reject/quarantine; warn on sp=none or weak alignment. Not applicable without non-null MX.

DMARC Reporting (rua)

Pass if rua= is present; warn if DMARC exists but rua is missing; fail if no DMARC. Not applicable without non-null MX.

MTA-STS DNS (SMTP TLS)

Pass if a well-formed record with id=; warn if present but malformed; fail if missing. Not applicable without non-null MX.

TLS-RPT

Pass if TLS-RPT with rua=; warn if record exists without rua=; fail if missing. Not applicable without non-null MX.

SPF DNS Lookup Budget

Pass if under 8 lookups; warn at 8–10 or if recursion guard trips; fail above 10. Not applicable without non-null MX.

DKIM Key Validation (selectors)

Pass if a valid key exists; warn if only revoked (empty p=); inconclusive (neutral credit) if no DKIM TXT is seen at sampled names — passive DNS cannot prove absence. Not applicable without non-null MX.

DKIM Selector Discovery

Informational only — passive scans cannot see all selectors. Not scored toward category points. Not applicable without non-null MX for consistency with other inbound checks.

Points (this check)

Zero points in posture; findings are advisory to avoid penalizing custom selectors.

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

highSPF Record MissingEMAIL_SPF_MISSING

Publish an SPF TXT record for your root domain and use a restrictive policy ending in -all.

highDMARC Record MissingEMAIL_DMARC_MISSING

Publish a DMARC record at _dmarc.<domain> with at least p=none and move to p=quarantine/reject.

highNo MX declarationEMAIL_NULL_MX_MISSING

No MX records were found. If the domain does not receive inbound mail, publish a single null MX (RFC 7505: priority 0, hostname .).

highDMARC subdomain policy missingEMAIL_DMARC_SUBDOMAIN_NO_POLICY

Publish DMARC with sp=quarantine or sp=reject where appropriate so subdomains are not left on a default weak policy.

highMTA-STS not publishedEMAIL_MTA_STS_MISSING

Publish MTA-STS at _mta-sts.<domain> with v=STSv1 and a stable id= to enforce SMTP TLS.

highTLS-RPT missingEMAIL_TLS_RPT_MISSING

Publish _smtp._tls TXT with v=TLSRPTv1 and rua= for inbound TLS failure visibility.

highSPF lookup limit exceededEMAIL_SPF_LOOKUP_EXCEEDED

Reduce include: chains and prefer ip4/ip6 mechanisms so SPF stays within 10 DNS lookups (RFC 7208).

highNo valid DKIM keys at sampled selectorsEMAIL_DKIM_NO_VALID_KEYS

Publish at least one DKIM TXT with a non-empty p= at an active selector.

mediumSPF Policy Too PermissiveEMAIL_SPF_WEAK_POLICY

Harden SPF policy toward -all to prevent unauthorized senders from passing SPF checks.

mediumDMARC Not EnforcedEMAIL_DMARC_NON_ENFORCED

Set DMARC policy to p=quarantine or p=reject to enforce anti-spoofing protections.

mediumDKIM Not FoundEMAIL_DKIM_NOT_FOUND

If you use a custom DKIM selector not in our test list, this may be a false negative. Otherwise publish a DKIM TXT at <selector>._domainkey and ensure your mail flow signs with it.

mediumMX Records MissingEMAIL_MX_MISSING

If mail is used, publish valid MX records. If mail is not used, publish a null MX record (MX 0 .).

mediumDMARC subdomain policy weakEMAIL_DMARC_SUBDOMAIN_POLICY_NONE

Strengthen sp= or root p= so spoofing is not tolerated on subdomains.

mediumDMARC reporting missingEMAIL_DMARC_NO_REPORTING

Add rua= to your DMARC record so you receive aggregate reports on authentication failures.

mediumMTA-STS malformedEMAIL_MTA_STS_MALFORMED

Ensure the MTA-STS TXT includes both v=STSv1 and id= as required.

mediumTLS-RPT without ruaEMAIL_TLS_RPT_NO_ENDPOINT

Add rua= to the TLS-RPT record so reports have a destination.

mediumSPF lookups near limitEMAIL_SPF_LOOKUP_NEAR_LIMIT

SPF is close to the 10-lookup cap; flatten or simplify before adding more senders.

mediumDKIM keys revokedEMAIL_DKIM_KEYS_REVOKED

Replace empty p= (revoked) keys with a new active key.

lowDKIM not observed at sampled selectorsEMAIL_DKIM_INCONCLUSIVE

No DKIM record was found at the names we probed (provider-aware, capped). Custom selectors are common — this is not proof DKIM is missing.

DNS & Domain Security Infrastructure Hygiene