Analyze your email authentication

Paste any domain. Scorifya reads your DMARC, SPF, and DKIM records and builds a step-by-step plan to get from monitoring to full enforcement, with the exact record to publish next.

Free tool

Email authentication analyzer — DMARC rollout planner and record generator

Most domains that publish DMARC are stuck at p=none, which collects reports but blocks nothing. The reason is fear: flipping to enforcement can stop your own mail if a legitimate sender isn't authenticated first. So the cautious move, staying at p=none forever, is the one almost everyone makes, and spoofers keep walking through. This analyzer turns that into a clear sequence, with the exact record for each step.

Paste a domain. The analyzer reads your DMARC, SPF, and DKIM, tells you which rollout stage you're on, shows what's blocking the next step, and generates the exact DMARC record to publish, preserving your existing reporting address. It's the same email-auth data as the full 0 to 100 hardening scan, framed as a journey to enforcement.

This page is written for people searching for email authentication analyzer—same tool as the homepage, with context for that query.

How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.

Example results

Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.

Example A — stuck at p=none with no reporting

78Fair

DMARC exists but only monitors, and there's no rua= address, so you can't see who sends as you. Spoofed mail still gets through.

Next step: advance to quarantine with a percentage ramp
Add a reporting address, review reports for a few weeks, then publish p=quarantine; pct=25 and ramp toward 100.
Blocker: no reporting address (rua=)
Without reports you can't confirm every legitimate sender is authenticated, which is what makes enforcement safe.

Example B — fully enforcing at p=reject

94Good

DMARC enforces at p=reject with SPF and DKIM aligned. Spoofed mail using the domain is rejected outright.

Enforced — maintain alignment
Keep the sender list current and watch reports so a new legitimate sender is never silently blocked.

How to improve your score

Publish DMARC at p=none with a reporting address first
Even before enforcement, the reports tell you which services send mail in your name. That discovery step is what makes the later steps safe.
Authenticate every legitimate sender before tightening
Confirm SPF and DKIM align for your marketing tool, invoicing service, support desk, and anything else that sends as you. The analyzer flags what's missing.
Move to quarantine with a percentage ramp
Publish p=quarantine; pct=25 and raise the percentage toward 100 as reports stay clean. This limits the blast radius if you missed a sender.
Advance to p=reject once quarantine holds
p=reject is the setting that actually blocks spoofing. Move there once quarantine at pct=100 catches no legitimate mail.
Re-run after every DNS change
Mail vendors and DNS records drift. Re-check after adding a sender or changing providers so your policy still matches reality.

For weights and penalties behind each category, see How Scorifya works.

Learn the concepts

Background explainers for what this tool checks.

DMARC, SPF, and DKIM explained

Frequently asked questions

What does the analyzer read?

Your published DMARC record and policy, your SPF record and its all mechanism, and whether DKIM is detectable at common selectors. It never sends email or logs in anywhere.

Why is p=none not enough?

p=none tells receivers to send you reports but not to change delivery. Spoofed mail using your domain still reaches inboxes. Only p=quarantine or p=reject actually blocks it.

Will moving to p=reject break my email?

Only if you skip the rollout. Going straight to enforcement without first authenticating every legitimate sender can block your own forgotten tools. That's why the analyzer surfaces blockers and recommends a percentage ramp through quarantine first.

Why can't you always see my DKIM?

Many providers sign with auto-generated selectors that no DNS scan can enumerate. If your SPF lists such a provider, the analyzer marks DKIM inconclusive and points you to the header parser to confirm it from a real outbound email.

What is the rua= address in the generated record?

It's the mailbox that receives the daily aggregate reports. The generator keeps your existing one if you have it, or suggests a placeholder you can change to wherever you want reports delivered.

More detail on limits and billing: FAQ.

How to interpret the results

TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.

Next steps

If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.

Loading…