SenderSignal
DocumentationSign in
Sign inStart free →

Product guides

Getting started

Monitor

Adding assetsBulk importMonitor rulesHistory & activity
Blacklists

Deliverability

How checks workScoring modelDomain identity
Sender reputation

Alerts

OverviewChannelsRules & routing
Inbox Intelligence

Inbox Boost

DNS setupStart warmupBounce rate auto-pause

Deliverability

Scoring model

How SenderSignal turns DNS, SMTP, and authentication probes into a 0–100 health score: category weights, point deductions per finding, hard caps, and IP composite dimensions.

Two layers: infrastructure vs policy

The numeric score reflects mail infrastructure and authentication health. The gauge color also reflects open policy gaps (for example DMARC at p=none). That is why you may see 100 points with an orange gauge: transport can be perfect while authentication policy still needs hardening.

Domain health score (0–100)

The Deliverability tab health score uses seven categories that sum to 100. Each category starts at its maximum weight. Findings subtract points from the relevant category only. The final score is the sum of category scores (after bonuses and hard caps).

Category weights (maximum points)

CategoryMax pointsWhat it covers
SPF20SPF record presence, syntax, lookup count, terminal mechanism
DKIM20Published selectors, key strength, verification against DNS
DMARC25DMARC record presence, policy (p=), enforcement level
MX10MX records present and resolvable for mail-capable domains
SMTP transport10MX reachability, STARTTLS, TLS grade, certificate trust
DNS integrity5DNSSEC probe health, CAA validity, resolver propagation
Policy security10MTA-STS, DANE/TLSA, BIMI VMC, enterprise hardening expectations

Point deductions by finding

Each row is the base deduction before multipliers. Actual points subtracted may be lower when severity, confidence, applicability, or domain profile reduce impact (for example provider-managed DKIM on ESP-delegated domains). Deductions never exceed the category bucket they belong to.

SPF (from 20)

FindingBase pointsWhen it appliesExample
spf_missing−12No SPF TXT on a mail-capable domain or domain with DMARCdig +short TXT mail.example.com returns no v=spf1 record
spf_invalid−12 (−14 if multiple records)Malformed SPF or permerror (including duplicate SPF records)Two TXT records both start with v=spf1 on mail.example.com
spf_lookup_exceeded−6More than 10 DNS lookups in SPF (RFC 7208 limit)SPF record chains more than 10 include: / redirect lookups
spf_plus_all−8SPF ends with +all (allows any sender)v=spf1 ip4:203.0.113.10 +all

spf_softfail_all (~all) is flagged as a policy recommendation but does not deduct points by default (common on enterprise and mailbox-provider domains).

DKIM (from 20)

FindingBase pointsWhen it appliesExample
dkim_missing−10No valid DKIM keys for configured selectorsdig +short TXT s1._domainkey.mail.example.com returns NXDOMAIN
dkim_unverified−8Selectors configured but none verify in DNSSelector s1 expected in app but no matching public key in DNS
dkim_weak_keyCritical (category impact)Best published key under 1024-bitDKIM TXT publishes a 512-bit or 768-bit RSA key

1024-bit keys are noted but not penalized; 2048-bit is recommended. ESP-delegated and mailbox profiles may treat DKIM as provider-managed with no deduction.

DMARC (from 25)

FindingBase pointsWhen it appliesExample
dmarc_missing−12No _dmarc TXT recorddig +short TXT _dmarc.mail.example.com returns NXDOMAIN
dmarc_none−4DMARC present with p=none (monitor only)v=DMARC1; p=none; rua=mailto:dmarc@example.com
dmarc_quarantine−1DMARC p=quarantine (partial enforcement)v=DMARC1; p=quarantine; pct=100
hardened_dmarc_not_reject−6Hardened enterprise profile expects p=rejectEnterprise sender on p=quarantine when profile expects reject

p=reject has no deduction and may earn a +2 bonus (see below).

MX (from 10)

FindingBase pointsWhen it appliesExample
mx_missing−10Mail-capable domain with no MX recordsdig +short MX mail.example.com returns empty
mx_unresolvable−10MX hostnames do not resolve in DNSMX 10 bad-host.example.com but A/AAAA lookup for bad-host fails

SMTP transport (from 10)

FindingBase pointsWhen it appliesExample
smtp_unreachable−8Primary MX does not accept SMTPTCP connection to mx.mail.example.com:25 refused or times out
smtp_no_starttls−5MX reachable but STARTTLS not offeredEHLO response has no STARTTLS keyword after successful connect
tls_weak_cipher−4TLS cipher grade D or FSTARTTLS negotiates a grade-F export cipher suite
tls_moderate_cipher−2TLS cipher grade CSTARTTLS succeeds but cipher grade is C
tls_downgrade_risk−2Legacy TLS version negotiated on STARTTLSServer offers TLS 1.0 after STARTTLS
tls_legacy−3MX negotiates TLS 1.0 or 1.1Highest negotiated version is TLSv1.1
cert_untrusted−3MX presents an untrusted certificateSelf-signed or expired cert on mx.mail.example.com
cert_hostname_mismatch−1Certificate CN/SAN does not match MX hostnameMX is mx.mail.example.com but cert is issued for other-host.net
ocsp_must_staple_missing−1Must-staple extension without OCSP stapling observedCert has status_request extension but no stapled OCSP response

ESP-delegated and mailbox-provider domains may skip SMTP transport scoring (category marked neutral).

DNS integrity (from 5)

FindingBase pointsWhen it appliesExample
dnssec_probe_error−2DNSSEC signed zone but validation probe failedDS records present but chain validation returns SERVFAIL
caa_invalid−3CAA records present but misconfiguredCAA records conflict or use unsupported tag syntax
dns_propagation_divergence−3Public resolvers return different answers for auth recordsSPF TXT differs between 1.1.1.1 and 8.8.8.8

Policy security (from 10)

FindingBase pointsWhen it appliesExample
mta_sts_invalid−5MTA-STS policy fetched but invalid_mta-sts.mail.example.com TXT exists but policy file fails validation
dane_mismatch−4TLSA records do not match live MX certificatePort 25 TLSA hash does not match cert served on STARTTLS
bimi_vmc_invalid−2BIMI VMC certificate invaliddefault._bimi TXT present but VMC fails validation
hardened_no_mta_sts−2Hardened enterprise profile without MTA-STSEnterprise profile expects _mta-sts but record is absent

Score bonuses (up to +6 total)

ConditionPoints
DMARC p=reject valid+2
MTA-STS enforce mode valid+2
Valid BIMI VMC+2
DANE verified against live cert+2
DMARC enforcement readiness+1

Hard caps (maximum score when condition is true)

Even if category math is higher, critical failures cap the final score:

ConditionMax score
No MX on mail-capable domain20
SMTP unreachable on primary MX40
SPF absent55
SPF malformed / permerror45–50
DMARC absent70
DMARC malformed60
No verifiable DKIM75
No STARTTLS on reachable MX70

Classification labels

Score rangeLabel
95–100Excellent
85–94Strong
70–84Moderate
50–69Weak
0–49Poor

Worked example

Domain with valid SPF, valid DKIM, DMARC p=none, MX ok, SMTP ok

SPF:             20 − 0  = 20
DKIM:            20 − 0  = 20
DMARC:           25 − 4  = 21   (dmarc_none)
MX:              10 − 0  = 10
SMTP transport:  10 − 0  = 10
DNS integrity:    5 − 0  =  5
Policy security: 10 − 0  = 10
                              ────
Total:                       96  (excellent)

IP composite score (0–100)

IP monitors use five weighted dimensions. If SMTP or TLS cannot be probed (common on managed ESP IPs), that dimension is marked unobservable and its weight is redistributed to the others.

DimensionWeightHow points are built
Reputation25%Starts at 100. −40 per critical DNSBL consensus listing, −25 high, −8 medium, −3 low. Clean Tier-1 feeds can floor the score at 94–97.
Network trust20%Base by network type (e.g. global provider 95, ESP 88, datacenter 75, residential 15). +5 FCrDNS on managed providers, +3 organizational PTR alignment.
SMTP health20%+35 reachable, +25 TLS negotiated (+10 if only advertised), +20 excellent latency (+15 good), +5 enhanced status / pipelining / trusted cert. Capped at 98.
Transport security15%Base 40. +35 TLS negotiated, +18/14/8 for cipher grade A/B/C, −15 grade D/F, −10 untrusted cert, +5 hostname match, −10/−20 cert expiry within 14/3 days.
Deliverability20%Base 50. +15 PTR exists, +12–15 FCrDNS valid, −25 SMTP unreachable, −15 suspicious HELO, −12 generic PTR. Includes blended reputation/network/SMTP/TLS signals. Blocking risk: −8 medium / −18 high / −30 critical. Spam-folder risk: half those values.

Common IP signal impacts

SignalTypical impact
FCrDNS valid+12 to +15 on deliverability; +3 to +5 on network trust
FCrDNS invalid−10 on deliverability
Critical DNSBL listing−40 on reputation dimension
SMTP unreachable (self-hosted)−25 on deliverability
Residential network detectedNetwork trust base ≈ 15

Blacklist and monitor headline score

Blacklist listings on the domain health breakdown are noted in reputation notes; the dedicated blacklist reputation score (Monitor / Blacklists tab) uses vendor weight × severity × confidence. The headline score on Monitor and asset Overview blends blacklist state, deliverability health, and trend. See Blacklist monitoring.

Reading the Deliverability tab

  • Green gauge: strong score and no open policy gaps
  • Orange gauge at high score: infrastructure OK; authentication policy still has recommended fixes
  • Red / lower number: SMTP failure, major listing, or missing MX
  • Category breakdown: each row shows weight, remaining points, and per-finding deductions
  • Recommended actions: prioritized fixes in plain language

← How checks work · Domain identity →

SenderSignal

Real-time deliverability and reputation monitoring for sending teams that take it seriously.

A product ofiInfoscience Labs
Product
How it worksPlatformPricingDocumentationStart freeStatus
Company
AboutParent companyTerms of servicePrivacy policyContact
Connect
Twitter LinkedIn GitHub hello@sendersignal.com
© 2026 SenderSignal. All rights reserved to Infoscience Labs. All systems operational