Step-by-step guides to diagnose and fix common SPF, DMARC, DKIM, SSL, DNSSEC, and security header issues. Each guide includes the exact fix, common gotchas, and a way to verify your changes.
Your SPF record exceeds the 10 DNS lookup limit defined in RFC 7208. When an email receiver evaluates your SPF record and the lookup count exceeds 10, it returns a PermError and the SPF check fails entirely.
Your domain has more than one TXT record starting with "v=spf1". RFC 7208 requires exactly one SPF record per domain. Multiple records cause a PermError, meaning SPF authentication fails for all emails.
Your SPF record has a permanent error that prevents it from being evaluated. This can be caused by syntax errors, exceeding the 10 DNS lookup limit, multiple SPF records, or invalid mechanisms.
Your domain does not have an SPF TXT record published in DNS. Without SPF, receiving servers cannot verify which mail servers are authorized to send email on behalf of your domain.
One or more "include" mechanisms in your SPF record point to a domain that does not have a valid SPF record or does not resolve in DNS.
A SPF TempError means a transient DNS lookup failed during SPF evaluation. Unlike a PermError, the result is not necessarily wrong — but receivers may defer or fail your message until the lookup succeeds.
Your SPF record ends with ~all (softfail) instead of -all (hardfail). While softfail marks unauthorized senders as suspicious, it does not instruct receivers to reject the message.
Your SPF record exceeds the 255-character limit for a single DNS TXT string. While DNS TXT records can contain multiple strings that are concatenated, some older resolvers may not handle this correctly.
Your domain does not have a DMARC TXT record at _dmarc.yourdomain.com. Without DMARC, there is no policy telling receivers what to do with emails that fail SPF and DKIM authentication.
Your DMARC record has the policy set to p=none, which means receiving servers will not take any action against emails that fail DMARC checks. This provides no protection against spoofing.
Emails from your domain are failing DMARC because neither SPF nor DKIM is aligned with the From header domain. DMARC requires at least one of SPF or DKIM to both pass and be aligned.
Your DMARC record does not include a rua (aggregate reporting) tag. Without it, you will not receive any reports about email authentication results for your domain.
Your DMARC record does not include an sp= tag to define policy for subdomains. Without it, subdomains inherit the parent domain's policy, which may not be appropriate.
Your DMARC record includes a pct= tag set to less than 100. Only a percentage of failing emails are subject to your DMARC policy; the rest are treated as if the policy were "none".
A DMARC TempError means the receiver could not retrieve your DMARC record due to a transient DNS issue. The receiver typically applies a default policy and may retry — but persistent TempErrors weaken DMARC enforcement.
Your domain doesn't publish a BIMI record. BIMI (Brand Indicators for Message Identification) lets you display your logo next to authenticated emails in supporting inboxes, improving brand visibility and trust signals.
Emails sent from your domain do not contain a DKIM-Signature header. The email content cannot be verified as unmodified and the sending domain cannot be cryptographically authenticated.
The DKIM public key record was not found in DNS for the selector used by your email provider. Receiving servers cannot verify DKIM signatures without the public key.
Your DKIM DNS record contains a syntax error that prevents it from being parsed correctly. Common issues include missing or malformed tags, line breaks in the key, or incorrect quoting.
A receiver tried to verify a DKIM signature but the selector referenced in the message header has no DNS record. This causes DKIM to fail with "no key for signature" and breaks DMARC alignment via DKIM.
Your DKIM key is shorter than the recommended 2048 bits (likely 1024 bits). Short keys are vulnerable to brute-force attacks and do not meet current security best practices.
Your SSL/TLS certificate has expired. Visitors will see a security warning in their browser, and most will not proceed to your site.
The SSL certificate installed on your server does not match the domain name being accessed. The certificate's Subject Alternative Names (SANs) or Common Name (CN) do not include the requested domain.
Your server is presenting a self-signed certificate. Browsers and clients will show certificate warnings or refuse to connect because the certificate isn't signed by a trusted Certificate Authority.
Your server supports weak or deprecated cipher suites that are vulnerable to known attacks, including DES, 3DES, RC4, and export-grade ciphers.
Your server supports TLS 1.0 and/or TLS 1.1, which are deprecated protocols with known vulnerabilities. Only TLS 1.2 and TLS 1.3 should be enabled.
Your server is sending an incomplete SSL certificate chain. Some clients can't build a path to a trusted root CA, causing TLS handshake failures or certificate trust warnings.
Your server still accepts TLS 1.0 or TLS 1.1 connections. Both are deprecated, vulnerable to several known attacks, and disallowed by PCI DSS, HIPAA, and most browser vendors.
Your server does not send the Strict-Transport-Security (HSTS) header. Without it, browsers may connect over unencrypted HTTP before being redirected to HTTPS, leaving a window for man-in-the-middle attacks.
Your web server is missing one or more important security headers that instruct browsers to enable built-in security features against common web attacks.
Your server does not send a Content-Security-Policy (CSP) header. CSP is one of the most effective defenses against cross-site scripting (XSS) and data injection attacks.
Your domain doesn't publish an MTA-STS policy. MTA-STS (RFC 8461) tells sending mail servers that your domain requires TLS for inbound mail, preventing downgrade attacks where attackers strip encryption from SMTP connections.
Run a free scan to diagnose your domain's security issues. We'll check SPF, DMARC, DKIM, SSL, DNSSEC, and security headers in seconds.
Scan Your Domain Now