Authentication, visibility, and drift control for your domain.

SPF, DKIM, DMARC, MX, MTA-STS, TLS-RPT, BIMI, and DNSSEC across three resolvers in about 15 seconds. PDF report on request.

Pick the services you send from. We assemble the TXT record and count DNS lookups so you don't blow the RFC-7208 10-lookup limit.

Already have an SPF record? We resolve the whole include/redirect tree and count the real number of DNS lookups — the one that breaks mail when it crosses 10.

Build a v=DMARC1 record with the right policy and reporting address, plus a guided rollout from monitor (p=none) to full enforcement (p=reject).

Paste your DMARC TXT record. Per-tag grading + plain-English fixes. No DNS lookup — bring your own record.

Paste your DKIM TXT record. Tag-by-tag grading, key-size estimate, and revocation detection. No DNS lookup — bring your own record.

Ingest aggregate reports from your rua= mailbox. Per-source alignment, untrusted-sender flags, guided path from p=none → p=reject.

Resolve your BIMI DNS record, fetch the SVG, and flag Gmail-blocking issues: size, content-type, missing VMC, DMARC enforcement.

Pick your MX hosts and a mode (enforce / testing / none). Emits the policy file you host at mta-sts.<domain>/.well-known/mta-sts.txt plus the DNS TXT record.

Subscribe to daily TLS/MTA-STS/DANE failure reports from sending MTAs. Two tabs: build a fresh TXT record, or paste one for tag-by-tag grading.

Daily (Starter) or 6-hour (Pro) rescans with field-level drift detection. Email, Slack, and webhook alerts the moment anything changes.