№ 07 / SolutionsFree

  Email Deliverability Audit

Your emails landing in spam?

Nine times out of ten it's SPF, DKIM or DMARC. Paste your domain — we check all three in five seconds and tell you exactly what's broken, what to fix, and how spoofable your address is right now.

Begin audit

Email address or just the domain — we strip the user@ part client-side. DNS-only: we don't send mail, don't touch your server, don't see your inbox.

What we check

Three
records

SPF, DKIM and DMARC are the three TXT records every modern mail receiver — Gmail, Outlook, Apple Mail, Yahoo — checks before deciding whether your message reaches the inbox. Miss one and you're guessing every time you hit send.

  • № 01

    SPF — who's allowed to send

    Lists the mail servers (Google, Microsoft 365, Mailgun, your own SMTP) that are authorised to send mail from your domain. Anything else gets flagged. We check the record exists, has one terminating policy (-all or ~all), and stays under the 10-lookup budget receivers cap it at.

  • № 02

    DKIM — the cryptographic signature

    A public key on your DNS that receivers use to verify the signature your outgoing mail server stamps on every message. Proves the email wasn't tampered with in transit. We probe 23 common selectors (google, selector1, k1, etc.) and grade the strongest key we find — 2048-bit is the modern minimum.

  • № 03

    DMARC — what receivers should do

    The enforcement policy. Tells Gmail and Outlook what to do when SPF or DKIM fail: ignore (p=none), spam folder (p=quarantine) or bounce (p=reject). Without DMARC, valid SPF and DKIM still leave your domain wide open to spoofing. We grade your policy strength, subdomain coverage, and whether you've set up aggregate reporting.

Why it matters

The two
outcomes

Bad email setup costs you in two specific, expensive ways. Both are silent — you don't get a notification, you just lose deals.

  • 01

    Customers don't see your replies

    Gmail and Outlook quietly route mail from un-authenticated domains to spam. Your reply to that enquiry never reached them. The customer assumes you ignored them and goes to a competitor. Since February 2024 Gmail enforces SPF + DKIM + DMARC for any sender pushing more than 5,000 messages a day, and is rolling those requirements down to smaller senders too.

  • 02

    Spoofers send invoices in your name

    A domain without DMARC at p=quarantine or stricter can be spoofed by anyone with a script and a motivation. UK SMEs lost an average £4,200 per CEO-impersonation fraud incident in Action Fraud's 2024 reporting — the spoofed email "from" your finance director that asks an employee to wire money is a DMARC failure first, a human-error story second.

FAQ

Common
questions

The questions UK SME owners ask before changing a DNS record. None of these answers are legal advice — for that, talk to your IT provider or DPO.

  • Q1

    Why are my emails going to spam?

    By far the most common cause for UK SMEs is broken or missing email authentication — SPF, DKIM and DMARC. Gmail and Outlook now require all three for reliable inbox placement, and silently demote anything that doesn't pass. Less common causes are IP-reputation issues with the sending server, dodgy subject lines, or being on a blocklist — but those are downstream. Auth comes first.

  • Q2

    What's the difference between SPF, DKIM and DMARC?

    SPF says who's allowed to send mail from your domain. DKIM cryptographically signs each message so receivers can verify it wasn't altered. DMARC ties the two together with a policy that tells receivers what to do when either check fails. All three are TXT records on your DNS — there's nothing to install, no software to run.

  • Q3

    Is this DMARC checker free?

    Yes. Three free checks per month, no sign-up. A free account gives you unlimited private re-runs as you tighten your records, plus a publishable verify badge once your grade is good — useful for procurement and tender documents that ask about email security.

  • Q4

    Will the audit affect my email or DNS?

    No. The audit only reads public TXT records — the same DNS data any mail receiver looks at every time someone sends to your domain. We don't send mail, we don't touch your DNS configuration, we can't see your inbox. Purely read-only.

  • Q5

    How do I fix a failing record?

    The report tells you exactly which record is wrong and the specific change to make — for example "SPF ends in ~all, tighten to -all once you're confident your senders are fully listed". You apply the change in your DNS provider (Cloudflare, GoDaddy, Route 53 — wherever your domain lives) and re-run the audit to confirm.

  • Q6

    Can DKIM really be missing if I'm using Google Workspace or Microsoft 365?

    Yes — surprisingly often. Workspace and 365 both generate the keys for you, but you still have to publish the corresponding TXT record in your DNS. Many UK SMEs migrated to Workspace years ago, never finished the DKIM step, and have been sending unsigned mail ever since. The audit probes the google, selector1 and selector2 selectors specifically because those are the ones Workspace and 365 instruct customers to publish.

  • Q7

    Is having DMARC legally required in the UK?

    No UK statute mandates DMARC for the private sector. The NCSC recommends it for all organisations and central government services have been required to publish DMARC at p=reject for several years under the Active Cyber Defence programme. Privately, the de-facto requirement is procurement — supplier security questionnaires increasingly ask for DMARC at p=quarantine or stricter as a tick-box.

Last word

Five seconds. Three records.

Find out whether your mail is broken before your next big prospect doesn't see your reply.

Run a free audit