Two layers: infrastructure vs policy
The numeric score reflects mail infrastructure and authentication health. The gauge color also reflects open policy gaps (for example DMARC at p=none). That is why you may see 100 points with an orange gauge: transport can be perfect while authentication policy still needs hardening.
Domain health score (0–100)
The Deliverability tab health score uses seven categories that sum to 100. Each category starts at its maximum weight. Findings subtract points from the relevant category only. The final score is the sum of category scores (after bonuses and hard caps).
Category weights (maximum points)
| Category | Max points | What it covers |
|---|
| SPF | 20 | SPF record presence, syntax, lookup count, terminal mechanism |
| DKIM | 20 | Published selectors, key strength, verification against DNS |
| DMARC | 25 | DMARC record presence, policy (p=), enforcement level |
| MX | 10 | MX records present and resolvable for mail-capable domains |
| SMTP transport | 10 | MX reachability, STARTTLS, TLS grade, certificate trust |
| DNS integrity | 5 | DNSSEC probe health, CAA validity, resolver propagation |
| Policy security | 10 | MTA-STS, DANE/TLSA, BIMI VMC, enterprise hardening expectations |
Point deductions by finding
Each row is the base deduction before multipliers. Actual points subtracted may be lower when severity, confidence, applicability, or domain profile reduce impact (for example provider-managed DKIM on ESP-delegated domains). Deductions never exceed the category bucket they belong to.
SPF (from 20)
| Finding | Base points | When it applies | Example |
|---|
spf_missing | −12 | No SPF TXT on a mail-capable domain or domain with DMARC | dig +short TXT mail.example.com returns no v=spf1 record |
spf_invalid | −12 (−14 if multiple records) | Malformed SPF or permerror (including duplicate SPF records) | Two TXT records both start with v=spf1 on mail.example.com |
spf_lookup_exceeded | −6 | More than 10 DNS lookups in SPF (RFC 7208 limit) | SPF record chains more than 10 include: / redirect lookups |
spf_plus_all | −8 | SPF ends with +all (allows any sender) | v=spf1 ip4:203.0.113.10 +all |
spf_softfail_all (~all) is flagged as a policy recommendation but does not deduct points by default (common on enterprise and mailbox-provider domains).
DKIM (from 20)
| Finding | Base points | When it applies | Example |
|---|
dkim_missing | −10 | No valid DKIM keys for configured selectors | dig +short TXT s1._domainkey.mail.example.com returns NXDOMAIN |
dkim_unverified | −8 | Selectors configured but none verify in DNS | Selector s1 expected in app but no matching public key in DNS |
dkim_weak_key | Critical (category impact) | Best published key under 1024-bit | DKIM TXT publishes a 512-bit or 768-bit RSA key |
1024-bit keys are noted but not penalized; 2048-bit is recommended. ESP-delegated and mailbox profiles may treat DKIM as provider-managed with no deduction.
DMARC (from 25)
| Finding | Base points | When it applies | Example |
|---|
dmarc_missing | −12 | No _dmarc TXT record | dig +short TXT _dmarc.mail.example.com returns NXDOMAIN |
dmarc_none | −4 | DMARC present with p=none (monitor only) | v=DMARC1; p=none; rua=mailto:dmarc@example.com |
dmarc_quarantine | −1 | DMARC p=quarantine (partial enforcement) | v=DMARC1; p=quarantine; pct=100 |
hardened_dmarc_not_reject | −6 | Hardened enterprise profile expects p=reject | Enterprise sender on p=quarantine when profile expects reject |
p=reject has no deduction and may earn a +2 bonus (see below).
MX (from 10)
| Finding | Base points | When it applies | Example |
|---|
mx_missing | −10 | Mail-capable domain with no MX records | dig +short MX mail.example.com returns empty |
mx_unresolvable | −10 | MX hostnames do not resolve in DNS | MX 10 bad-host.example.com but A/AAAA lookup for bad-host fails |
SMTP transport (from 10)
| Finding | Base points | When it applies | Example |
|---|
smtp_unreachable | −8 | Primary MX does not accept SMTP | TCP connection to mx.mail.example.com:25 refused or times out |
smtp_no_starttls | −5 | MX reachable but STARTTLS not offered | EHLO response has no STARTTLS keyword after successful connect |
tls_weak_cipher | −4 | TLS cipher grade D or F | STARTTLS negotiates a grade-F export cipher suite |
tls_moderate_cipher | −2 | TLS cipher grade C | STARTTLS succeeds but cipher grade is C |
tls_downgrade_risk | −2 | Legacy TLS version negotiated on STARTTLS | Server offers TLS 1.0 after STARTTLS |
tls_legacy | −3 | MX negotiates TLS 1.0 or 1.1 | Highest negotiated version is TLSv1.1 |
cert_untrusted | −3 | MX presents an untrusted certificate | Self-signed or expired cert on mx.mail.example.com |
cert_hostname_mismatch | −1 | Certificate CN/SAN does not match MX hostname | MX is mx.mail.example.com but cert is issued for other-host.net |
ocsp_must_staple_missing | −1 | Must-staple extension without OCSP stapling observed | Cert has status_request extension but no stapled OCSP response |
ESP-delegated and mailbox-provider domains may skip SMTP transport scoring (category marked neutral).
DNS integrity (from 5)
| Finding | Base points | When it applies | Example |
|---|
dnssec_probe_error | −2 | DNSSEC signed zone but validation probe failed | DS records present but chain validation returns SERVFAIL |
caa_invalid | −3 | CAA records present but misconfigured | CAA records conflict or use unsupported tag syntax |
dns_propagation_divergence | −3 | Public resolvers return different answers for auth records | SPF TXT differs between 1.1.1.1 and 8.8.8.8 |
Policy security (from 10)
| Finding | Base points | When it applies | Example |
|---|
mta_sts_invalid | −5 | MTA-STS policy fetched but invalid | _mta-sts.mail.example.com TXT exists but policy file fails validation |
dane_mismatch | −4 | TLSA records do not match live MX certificate | Port 25 TLSA hash does not match cert served on STARTTLS |
bimi_vmc_invalid | −2 | BIMI VMC certificate invalid | default._bimi TXT present but VMC fails validation |
hardened_no_mta_sts | −2 | Hardened enterprise profile without MTA-STS | Enterprise profile expects _mta-sts but record is absent |
Score bonuses (up to +6 total)
| Condition | Points |
|---|
DMARC p=reject valid | +2 |
| MTA-STS enforce mode valid | +2 |
| Valid BIMI VMC | +2 |
| DANE verified against live cert | +2 |
| DMARC enforcement readiness | +1 |
Hard caps (maximum score when condition is true)
Even if category math is higher, critical failures cap the final score:
| Condition | Max score |
|---|
| No MX on mail-capable domain | 20 |
| SMTP unreachable on primary MX | 40 |
| SPF absent | 55 |
| SPF malformed / permerror | 45–50 |
| DMARC absent | 70 |
| DMARC malformed | 60 |
| No verifiable DKIM | 75 |
| No STARTTLS on reachable MX | 70 |
Classification labels
| Score range | Label |
|---|
| 95–100 | Excellent |
| 85–94 | Strong |
| 70–84 | Moderate |
| 50–69 | Weak |
| 0–49 | Poor |
Worked example
Domain with valid SPF, valid DKIM, DMARC p=none, MX ok, SMTP ok
SPF: 20 − 0 = 20
DKIM: 20 − 0 = 20
DMARC: 25 − 4 = 21 (dmarc_none)
MX: 10 − 0 = 10
SMTP transport: 10 − 0 = 10
DNS integrity: 5 − 0 = 5
Policy security: 10 − 0 = 10
────
Total: 96 (excellent)
IP composite score (0–100)
IP monitors use five weighted dimensions. If SMTP or TLS cannot be probed (common on managed ESP IPs), that dimension is marked unobservable and its weight is redistributed to the others.
| Dimension | Weight | How points are built |
|---|
| Reputation | 25% | Starts at 100. −40 per critical DNSBL consensus listing, −25 high, −8 medium, −3 low. Clean Tier-1 feeds can floor the score at 94–97. |
| Network trust | 20% | Base by network type (e.g. global provider 95, ESP 88, datacenter 75, residential 15). +5 FCrDNS on managed providers, +3 organizational PTR alignment. |
| SMTP health | 20% | +35 reachable, +25 TLS negotiated (+10 if only advertised), +20 excellent latency (+15 good), +5 enhanced status / pipelining / trusted cert. Capped at 98. |
| Transport security | 15% | Base 40. +35 TLS negotiated, +18/14/8 for cipher grade A/B/C, −15 grade D/F, −10 untrusted cert, +5 hostname match, −10/−20 cert expiry within 14/3 days. |
| Deliverability | 20% | Base 50. +15 PTR exists, +12–15 FCrDNS valid, −25 SMTP unreachable, −15 suspicious HELO, −12 generic PTR. Includes blended reputation/network/SMTP/TLS signals. Blocking risk: −8 medium / −18 high / −30 critical. Spam-folder risk: half those values. |
Common IP signal impacts
| Signal | Typical impact |
|---|
| FCrDNS valid | +12 to +15 on deliverability; +3 to +5 on network trust |
| FCrDNS invalid | −10 on deliverability |
| Critical DNSBL listing | −40 on reputation dimension |
| SMTP unreachable (self-hosted) | −25 on deliverability |
| Residential network detected | Network trust base ≈ 15 |
Blacklist and monitor headline score
Blacklist listings on the domain health breakdown are noted in reputation notes; the dedicated blacklist reputation score (Monitor / Blacklists tab) uses vendor weight × severity × confidence. The headline score on Monitor and asset Overview blends blacklist state, deliverability health, and trend. See Blacklist monitoring.
Reading the Deliverability tab
- Green gauge: strong score and no open policy gaps
- Orange gauge at high score: infrastructure OK; authentication policy still has recommended fixes
- Red / lower number: SMTP failure, major listing, or missing MX
- Category breakdown: each row shows weight, remaining points, and per-finding deductions
- Recommended actions: prioritized fixes in plain language
← How checks work · Domain identity →