Email authentication isn't one setting - it's five DNS records that work as a stack. This checker pulls all of them at once so you can see the whole picture instead of chasing one record at a time. Here's how to read that audit and fix it in the right order.
What a Full Audit Covers
A complete check looks at SPF (which servers may send), DKIM (a signature proving messages weren't altered), DMARC (the policy tying SPF and DKIM to your From domain), MTA-STS (enforced TLS encryption in transit), and TLS-RPT (reporting on encryption failures). A domain can pass one and fail the rest, so auditing them together is the only way to know you're actually protected.
Reading Your Results: Healthy vs Broken
- SPF - present, valid, and under ten DNS lookups. A PermError here quietly breaks DMARC.
- DMARC - present at
_dmarc, with a policy stronger thanp=noneand a reporting address. - DKIM - at least one active selector publishing a strong (2048-bit) key.
- MTA-STS / TLS-RPT - a published policy enforcing TLS, plus an address to receive failure reports.
The Order to Fix Things
Work bottom-up, because each layer depends on the one beneath it. Start with SPF - it's the foundation, and DMARC can't enforce without a passing, aligned SPF or DKIM result. Next confirm DKIM signing. Then raise your DMARC policy from none toward reject. Only then add transport security with MTA-STS and TLS-RPT, and finally BIMI to show your logo - which requires enforced DMARC to work at all.
Where Domains Most Often Fail
- SPF over the 10-lookup limit - the single most common failure, and the one AutoSPF fixes automatically by flattening your includes.
- DMARC stuck at
p=none- published but never enforced, so it offers no protection. - No MTA-STS - mail still delivers, but without protection against downgrade attacks.
- BIMI without a VMC - the logo won't display in Gmail or Apple Mail without a Verified Mark Certificate.
Re-run this audit whenever you add a sending service or change providers, and fix each layer with its dedicated tool linked above. Getting SPF right is the prerequisite for everything else - AutoSPF keeps it valid and under the lookup limit so the rest of your stack has a solid base.