Checks is a feature that helps you identify potential issues and misconfigurations with your domain.
It focuses on industry best practices and tries to highlight improvements that could be applied to the domain’s configuration.
How checks work
We scan your domain to identify the issues hourly, or whenever a change (like a new DMARC record) is detected.
When you make changes to your domain’s configuration, allow some time for the checks to refresh.
How to use checks
You can find the feature in the Checks tab of a domain:
- Open the dashboard.
- Choose a domain from the list.
- Navigate to the Checks tab.
There, you’ll find the list of checks organized by category, e.g. DMARC, TLSRPT, etc.
Each check in the list tells you what the scanner expected according to standards and best practises, and the colored icon signals whether the expectation was met.
The status of each check can either be:
- Ok → no action needed.
- Warning → a potential issue was detected and attention is needed.
- Error → an invalid configuration was detected and it must be fixed as soon as possible.
- Suggestion → it’s a best practice to enable or configure the specified feature.
- Not applicable → some checks aren’t always applicable, for example if there no DMARC record the policy check will be disabled.
List of checks
We currently perform the following checks on domains.
DMARC
- DMARC must be configured.
- There must be only a single DMARC record. Multiple records are an invalid configuration that prevents DMARC from working.
- DMARC record must be syntactically valid. You can find more about the validity of the record in the DMARC overview page. We validate the record to make sure that:
- No leading whitespace is present.
- Policy tag (
p
) is present. - Policy tag (
p
) is the second tag in the record. - All tag names are valid.
- All tag values are correctly formatted.
- No duplicate tags are present.
- No misplaced
mailto:
destinations are detected. - We currently don’t detect the following issues:
- Strict
fo
value compliance. - Missing
ruf
whenfo
is present. rua
andruf
URIs correctness.- A record not starting with
v=DMARC1
(leading whitespace is ignored) will be discarded and not shown at all.
- Strict
- Aggregate reports should be delivered to DMARCwise.
- DMARC compliance rate should be close to 100%.
- Policy should be set to
reject
for 100%.
TLSRPT
- TLSRPT should be configured.
- There must be only a single TLSRPT record. Multiple records are an invalid configuration that prevents TLSRPT from working.
- TLS reports should be delivered to DMARCwise.
- There should be only one address in the
rua
tag of the TLSRPT record for best compatibility. Some providers do not support multiple delivery locations.