Domain Reputation Diagnosis
Before they even look at your domain, mail providers read what you publish in your DNS. This diagnosis evaluates those 8 public signals — authentication, policies, infrastructure — and returns a score with concrete recommendations.
Domain only, no @ or https:// — if you paste an email address, we automatically use just the domain.
This diagnosis runs from your browser via DNS-over-HTTPS, with backup resolvers. We don't store the domains you check. For a quick authentication check, there's the SPF/DKIM/DMARC checker.
What this diagnosis checks
SPF and its quality
Not just whether it exists: what policy it declares ("-all", "~all", "+all") and whether it exceeds the 10-DNS-lookup limit that invalidates it.
DMARC strength
The policy ("none", "quarantine", "reject"), the enforcement percentage, and whether anyone is receiving the reports.
DKIM
Whether a signing key is published, with automatic detection of the most common selectors.
MX records
Whether the domain can receive mail: providers distrust senders that can't accept replies.
Advanced signals
BIMI (your logo in the inbox), MTA-STS and TLS-RPT (encryption for inbound mail). Optional and not urgent: they set a mature setup apart, and the FAQ below explains how to implement each one.
What about blocklists? We'll be upfront
Serious blocklists — Spamhaus and similar — deliberately reject queries made through public resolvers, which is the only route available from a browser. That's why this diagnosis doesn't include them: we'd rather not show a check we can't guarantee.
So how does it actually work? Reputation is built together. On your side, good practices: your own permission-based lists, careful content, nothing that looks like spam. On arrobaMail's side, internal validations, monitoring and constant care of our sending IPs, plus continuous improvements based on our customers' activity. That combination is what prevents blocks — and what resolves them when they happen.
Frequently asked questions
It's the trust that mail providers (Gmail, Outlook, Yahoo) place in your domain as a sender. It's built from two things: the public signals you publish in your DNS — authentication, policies, infrastructure — and your sending behavior over time. This tool evaluates the first, which is the controllable foundation for everything else.
No, and we'd rather tell you upfront: serious blocklists (like Spamhaus) don't accept queries made through public resolvers, which is the only method available from a browser. Any online tool that claims to check them this way is showing you an unreliable result.
The good news is that blocks aren't something you "check" — they're prevented and fixed by operating well. At arrobaMail that's part of the platform: internal validations, constant care of our sending IPs and continuous improvements based on customer activity — combined with what each sender brings: permission-based lists, careful content and no spam. Reputation is teamwork.
The checker is the quick control: it tells you whether the three authentication records exist. This diagnosis goes deeper: it evaluates the quality and strength of each record, adds infrastructure and advanced signals, and rolls it all up into a score with actionable recommendations.
Start with what matters most: publish SPF and DKIM if they're missing, and move DMARC to at least "quarantine" gradually. Each signal in the result tells you what to fix, and the guide on how to authenticate your domain walks you through it step by step. If you send with arrobaMail, your domain's verification status is right there in the dashboard, so you always know what's still pending.
BIMI (Brand Indicators for Message Identification) lets providers show your verified logo next to your emails in the inbox. It's a brand signal, not a security one: it doesn't determine whether your emails get delivered, but it adds recognition and visual trust.
To implement it you need three things: DMARC at "quarantine" or "reject" policy (that's the prerequisite), your logo in SVG format per the standard's profile, and a TXT record at default._bimi.yourdomain.com like "v=BIMI1; l=https://yourdomain.com/logo.svg". Some providers — Gmail among them — also require a paid VMC certificate that proves ownership of the logo.
Our recommendation: treat it as the last step of maturity. First get SPF, DKIM and DMARC solid; BIMI is the cherry on top, not the base. Showing as missing in the diagnosis doesn't hurt deliverability.
MTA-STS (Mail Transfer Agent Strict Transport Security) protects the mail your domain receives: it requires servers writing to you to use encrypted (TLS) connections and verify your MX records, which blocks interception attacks. It doesn't affect your outbound campaigns.
It's implemented in two parts: a TXT record at _mta-sts.yourdomain.com ("v=STSv1; id=20260612") and a policy file published at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt listing your MX servers and enforcement mode. It's best to start in "testing" mode and move to "enforce" once you've confirmed everything flows correctly. If your corporate mail runs on Google Workspace or Microsoft 365, both have official step-by-step guides.
It's optional and adopted gradually: having it speaks well of your operation, and not having it doesn't penalize your campaign sending.
TLS-RPT (TLS Reporting) is MTA-STS's companion: it makes major providers send you a report whenever someone had encryption trouble trying to deliver mail to you. Without it, those failures are invisible.
It's the simplest of the three advanced signals: a single TXT record at _smtp._tls.yourdomain.com with the format "v=TLSRPTv1; rua=mailto:[email protected]". The only thing to watch is choosing an inbox someone actually reads: reports arrive as automated summaries in JSON format.
You can publish it even before you have MTA-STS: it's harmless, and the reports serve as an early diagnostic before you tighten any policy.
When setting up a new domain, after any change of mail provider or DNS, and if you notice a sharp drop in opens. As routine, a monthly review is enough: these signals don't change on their own, but a hosting change or an overwritten record are more common than you'd think.
The diagnosis tells you what's missing. This tells you how to fix it
The guide on how to authenticate your domain walks you through SPF, DKIM and DMARC step by step, and in deliverability we cover how we protect sending reputation at arrobaMail. If your campaigns are landing in spam, start with this guide.
A healthy domain deserves a platform to match
At arrobaMail reputation is cared for together: your good practices, plus internal validations and constant care of the platform's sending IPs. Create your free account, no card required.
Free Plan · AI generations included · no credit card