How We Grade
A grade is only useful if you can trust it, and you should never have to take a security tool's word for anything. So here is exactly what Email Posture measures, how it adds up to a letter grade, and how you can confirm every finding yourself. Nothing here is a black box.
What we check
For any domain you enter, we read its public DNS and evaluate the records that determine whether someone can impersonate you in email:
- DMARC: whether a policy exists and whether it actually enforces (
quarantineorreject) rather than just monitoring (p=none), plus whether it covers subdomains and requests reports. - SPF: whether the record exists, is well-formed, lists a sensible policy, and stays within the limits that keep it working.
- DKIM: whether signing keys can be detected. DKIM uses a selector that isn't discoverable from the outside, so we're careful here and never punish a domain for a key we simply can't see (more on that below).
- DNSSEC: whether your DNS records are cryptographically signed so they can't be forged in transit.
- MTA-STS and MX: whether your mail is set up to be delivered securely, and where it's delivered.
How the letter grade works
Each check produces one of four results, which we show as plain labels:
- OK: the control is in place and doing its job.
- Needs attention: present but weak, for example DMARC set to monitor-only.
- Exposed: missing or misconfigured in a way that leaves you open to spoofing.
- Not set: an optional protection that isn't configured.
The overall A-to-F grade is weighted toward the controls that actually stop impersonation. DMARC enforcement carries the most weight, because a domain without it can be spoofed regardless of anything else, with SPF and DNSSEC contributing meaningfully on top. The result is a score where the difference between an A and a C is the difference between "hard to impersonate" and "trivially spoofable today."
The one honest limitation: DKIM
We want to be upfront about this because it's the kind of detail other tools gloss over. DKIM keys live at a selector that an outside checker can't reliably discover. That means we can confirm DKIM when we can find it, but the absence of a detected key doesn't prove DKIM is missing. So DKIM is treated as a soft signal and never used to fail an otherwise-protected domain. We'd rather be accurate than alarmist.
What we never do
- We never send email to your domain or anyone on it. Every check is a passive, read-only DNS lookup.
- A one-off check from the homepage isn't stored or tied to your identity. We only read public records, the same data any mail server can already see.
- We don't need access to your account, your mailbox, or any credentials to grade a domain.
Verify it yourself
Because we only read public DNS, every finding is reproducible. You can run the same lookups we do with dig or any DNS-over-HTTPS endpoint and see the exact records we graded. We built the tool this way on purpose: the grade should be something you can check, not something you have to believe.
Run your domain and see the grade, with the exact records behind it.
Check your domain free