Checks is a feature that helps you identify potential issues and misconfigurations with your domain.

It focuses on industry best practices and tries to highlight improvements that could be applied to the domain’s configuration.

Checks dashboard

How checks work

We scan your domain to identify the issues hourly, or whenever a change (like a new DMARC record) is detected.

When you make changes to your domain’s configuration, allow some time for the checks to refresh.

How to use checks

You can find the feature in the Checks tab of a domain:

  • Open the dashboard.
  • Choose a domain from the list.
  • Navigate to the Checks tab.

There, you’ll find the list of checks organized by category, e.g. DMARC, TLSRPT, etc.

Each check in the list tells you what the scanner expected according to standards and best practises, and the colored icon signals whether the expectation was met.

The status of each check can either be:

  • Ok → no action needed.
  • Warning → a potential issue was detected and attention is needed.
  • Error → an invalid configuration was detected and it must be fixed as soon as possible.
  • Suggestion → it’s a best practice to enable or configure the specified feature.
  • Not applicable → some checks aren’t always applicable, for example if there no DMARC record the policy check will be disabled.

List of checks

We currently perform the following checks on domains.

DMARC

  • DMARC must be configured.
  • There must be only a single DMARC record. Multiple records are an invalid configuration that prevents DMARC from working.
  • DMARC record must be syntactically valid. You can find more about the validity of the record in the DMARC overview page. We validate the record to make sure that:
    • No leading whitespace is present.
    • Policy tag (p) is present.
    • Policy tag (p) is the second tag in the record.
    • All tag names are valid.
    • All tag values are correctly formatted.
    • No duplicate tags are present.
    • No misplaced mailto: destinations are detected.
    • We currently don’t detect the following issues:
      • Strict fo value compliance.
      • Missing ruf when fo is present.
      • rua and ruf URIs correctness.
      • A record not starting with v=DMARC1 (leading whitespace is ignored) will be discarded and not shown at all.
  • Aggregate reports should be delivered to DMARCwise.
  • DMARC compliance rate should be close to 100%.
  • Policy should be set to reject for 100%.

TLSRPT

  • TLSRPT should be configured.
  • There must be only a single TLSRPT record. Multiple records are an invalid configuration that prevents TLSRPT from working.
  • TLS reports should be delivered to DMARCwise.
  • There should be only one address in the rua tag of the TLSRPT record for best compatibility. Some providers do not support multiple delivery locations.