Check Your Domain Security Score

A domain security score measures how well your domain is protected against email spoofing, DNS hijacking, and transport-level attacks. Instead of checking individual protocols in isolation, a score evaluates your entire posture — authentication, DNS trust, and hidden risk — in a single assessment.

What the Score Measures

SpoofSentry's Domain Security Score evaluates your domain across multiple protocol categories:

• DMARC — Policy strength, alignment mode, and reporting configuration. Check your DMARC record.
• SPF — Record validity, lookup count (the 10-lookup limit), and qualifier settings. Check your SPF record.
• DKIM — Key presence, length, and signing configuration. Check your DKIM record.
• MTA-STS — Transport security policy that prevents TLS downgrade attacks. Check MTA-STS.
• DNSSEC — DNS integrity verification that prevents DNS spoofing.
• DANE — Certificate pinning via DNS that binds TLS to your mail server. Check DANE/DNSSEC.
• BIMI — Brand indicator display in supporting email clients. Check BIMI readiness.
• Dangling DNS — Abandoned DNS records that create subdomain takeover risk. Scan for dangling DNS.

Why a Score Matters More Than Individual Checks

A domain can have a valid DMARC record at p=reject but still be vulnerable — if DNSSEC is absent, MTA-STS isn't configured, or abandoned subdomains create takeover exposure. Individual protocol checkers tell you whether a specific record exists. A security score tells you whether your domain is actually protected.

The score also provides a baseline for tracking improvement over time. As you fix gaps and strengthen configurations, the score reflects your progress — useful for internal reporting, compliance evidence, and client presentations.

How to Improve Your Score

1. Start with authentication — Ensure DMARC, SPF, and DKIM are all properly configured and aligned. This is the foundation.
2. Move toward enforcement — A DMARC record at p=none scores lower than p=quarantine or p=reject. Learn when to tighten policy.
3. Add transport security — Configure MTA-STS and TLS-RPT to prevent mail delivery over unencrypted connections.
4. Enable DNSSEC — Requires support from your DNS provider. Prevents DNS spoofing attacks.
5. Clean up DNS — Remove dangling records pointing to decommissioned services. These are takeover targets.

Frequently Asked Questions

Is this free scan the full score?

The free scan evaluates DMARC and SPF — two of the eight scoring components. A full Domain Security Score covering all protocols (DKIM, MTA-STS, DNSSEC, DANE, BIMI, dangling DNS) requires a SpoofSentry account. See pricing.

What is a good domain security score?

80+ indicates strong posture across authentication and DNS trust. 60-79 means the basics are in place but gaps remain. Below 60 indicates significant exposure that should be addressed. Most domains score between 30-60 before actively working on their posture.

How often should I check my score?

Check after making DNS changes, onboarding new email services, or decommissioning infrastructure. With continuous monitoring, SpoofSentry tracks your score automatically and alerts you to regressions.

Can I use this for client domains?

Yes. MSPs and consultants use the Domain Security Score to assess client posture during onboarding, track improvement over time, and generate branded reports. See the MSP solution.