Step-by-step instructions to fix every issue that Domain Health reports. Organized by module. Start with critical issues, then work through warnings.
SPF tells receiving mail servers which IP addresses are authorized to send email for your domain. It's published as a TXT record at your domain's root.
No SPF record found. SPF is required by Google, Yahoo, and Microsoft.
If you use multiple providers, combine them into one record:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Multiple v=spf1 TXT records found. RFC 7208 requires exactly one.
v=spf1include: directives into a single TXT recordSPF record exceeds 10 DNS lookups. Results in PermError.
include:, a:, mx:, and redirect= mechanism counts as 1 lookup (nested includes count too)SPF record ends with +all, which authorizes the entire internet to send as your domain.
Change +all to ~all (soft fail) or -all (hard fail) in your SPF TXT record. Using +all provides no protection against spoofing.
SPF record doesn't include the detected email provider's SPF domain.
Add the appropriate include: for your email provider. Check your provider's documentation for the correct SPF include domain.
Content exists after the "all" mechanism. Everything after "all" is ignored by receivers.
Move any include: directives before the ~all or -all at the end. Remove any trailing content after the all mechanism.
More than 2 void DNS lookups (RFC 7208 §4.6.4).
Remove includes that point to domains with no DNS records. Each failed DNS lookup counts against a void lookup limit of 2.
SPF record uses deprecated ptr mechanism.
Replace ptr with explicit ip4: or ip6: entries. The ptr mechanism is deprecated per RFC 7208 due to poor performance and reliability.
DKIM adds a cryptographic signature to outgoing emails. Receivers verify it via a public key published in DNS.
No DKIM selectors found. DKIM is required by Google, Yahoo, and Microsoft.
Common selector names: google (Google Workspace), selector1/selector2 (Microsoft 365), s1/s2 (SendGrid)
DKIM key is 1024-bit. Upgrade to 2048-bit for better security.
DKIM key has been revoked (empty p= tag).
A revoked key (empty p=) is intentional if you've rotated to a new selector. Ensure at least one active DKIM selector exists. If this was unintentional, re-generate the key in your email provider.
DKIM selectors could not be discovered. A security gateway (e.g. Proofpoint, Mimecast) was detected via MX records, which typically means DKIM is configured with custom selector names that cannot be discovered through standard DNS probing.
DKIM-Signature header — it contains the actual selector name in the s= tagThis warning is informational — domains behind security gateways almost certainly have DKIM configured. The score reflects partial credit (8/15) rather than treating DKIM as missing.
DMARC tells receivers what to do when SPF or DKIM checks fail. It's published as a TXT record at _dmarc.yourdomain.com.
No DMARC record found. Required by Google, Yahoo, and Microsoft.
_dmarc.yourdomain.comMonitor reports for 2-4 weeks, then upgrade to p=quarantine, then p=reject.
DMARC policy is set to 'none'. No enforcement.
p=quarantine (failed emails go to spam)p=rejectNo aggregate reporting address (rua=) configured.
Add rua=mailto:dmarc@yourdomain.com to your DMARC record. This lets you receive reports about who is sending email as your domain. Free DMARC report analyzers: Postmark, EasyDMARC, Dmarcian.
External rua domain has no authorization record. Reports will be silently dropped.
If your rua points to reports@external.com, the external domain must publish:
Contact the external reporting service to add this authorization record, or use an email address on your own domain.
MX records specify which mail servers accept email for your domain.
Domain has no MX records. Cannot send or receive email.
MX record hostname does not resolve to an IP address.
Check your MX record hostnames — they must resolve to valid IP addresses. Common causes: typo in MX hostname, or the pointed-to mail server has been decommissioned. Update the MX record to point to your current email provider's servers.
Only one MX record — no mail server redundancy.
Most email providers give you multiple MX records with different priorities. Add all of them to your DNS. If your provider only offers one, this is informational — not a problem for most setups.
DNS-based blacklists track IP addresses and domains associated with spam. Domain Health checks 22 blacklist zones across Tier 1 (major) and Tier 2 (minor) lists.
Listed on a major blacklist (Barracuda, SpamCop, or SURBL).
barracudacentral.org/lookups/lookup-reputationspamcop.net/bl.shtml (auto-delists after 24-48h if spam stops)surbl.org/surbl-analysischeck.spamhaus.org (not checked from cloud but important to verify manually)Listed on a minor blacklist.
Tier 2 blacklists have limited adoption. Some auto-delist after a period of clean behavior. If multiple Tier 2 listings appear, investigate whether your sending IP is shared (common with cloud email providers) or if there's an actual issue. Focus on Tier 1 listings first.
SSL certificates encrypt web traffic and are checked as a trust signal for the domain.
SSL certificate has expired.
No SSL certificate found on port 443.
Set up HTTPS on your domain. Free options: Cloudflare (proxy mode), Let's Encrypt (certbot). Most hosting providers include free SSL. If the domain is email-only with no website, this is less critical.
SSL certificate expires within 7 days.
Renew immediately. Check that auto-renewal is configured correctly — most providers support this. Verify DNS records haven't changed in a way that blocks validation.
Older domains have more sender reputation. Very new domains are flagged as suspicious by email providers.
Domain is less than 7 days old.
Wait. Brand-new domains need time to build reputation. Do not send cold outreach for at least 2 weeks. During warmup:
Domain is less than 30 or 90 days old.
Continue warmup process. Keep volumes low and monitor deliverability. Domains under 90 days should avoid aggressive outreach volumes.
Domain registration length is 1 year or less.
Consider renewing your domain for 2+ years. Longer registration is a minor positive trust signal. Not urgent — focus on SPF/DKIM/DMARC first.
Reverse DNS maps an IP address back to a hostname. Forward-confirmed reverse DNS (FCrDNS) means the PTR record resolves back to the original IP.
MX server IPs have no PTR (reverse DNS) records.
PTR records are set by whoever controls the IP address — usually your hosting provider or ISP, not your DNS registrar. Contact your email/hosting provider to set up a PTR record for your mail server IP. If using a managed email service (Google, Microsoft), PTR is already configured.
PTR hostname does not resolve back to the MX server IP.
Ensure the PTR record points to a hostname that, when resolved with an A record, returns the same IP address. This is called Forward-confirmed reverse DNS (FCrDNS). Contact your hosting provider if the PTR record is incorrect.
MTA-STS enforces TLS encryption for inbound email. It requires both a DNS TXT record and an HTTPS-hosted policy file.
No MTA-STS record found. Inbound mail transport is not enforcing TLS.
_mta-sts.yourdomain.com:https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:mode: testing, then switch to mode: enforce after monitoringMTA-STS policy MX entries do not match actual MX records.
Update the mx: lines in your MTA-STS policy file to match your current MX records. Wildcards are allowed (e.g., mx: *.google.com). Update the id in the DNS TXT record whenever you change the policy.
MTA-STS policy file is missing required fields.
The policy file must include all four required fields: version, mode, mx, and max_age. Check that the file is served with content-type text/plain over HTTPS with a valid certificate.
TLSRPT (RFC 8460) lets you receive reports when sending servers fail to establish TLS connections to your domain.
No TLSRPT record found.
Add a TXT record at _smtp._tls.yourdomain.com:
This is most useful when paired with MTA-STS. Reports help identify TLS delivery failures.
TLSRPT record has syntax errors or multiple records found.
Ensure exactly one TXT record at _smtp._tls.yourdomain.com with format: v=TLSRPTv1; rua=mailto:address@domain.com. Remove any duplicate records.
BIMI displays your brand logo next to emails in supported inboxes. Requires DMARC enforcement (p=quarantine or p=reject) and optionally a VMC (Verified Mark Certificate).
BIMI detected but DMARC policy is "none".
BIMI logos only display when DMARC policy is p=quarantine or p=reject. Upgrade your DMARC policy first, then BIMI will work automatically.
BIMI record found but no VMC (Verified Mark Certificate).
A VMC is required for Gmail logo display. Purchase one from DigiCert or Entrust (the only accepted issuers). You'll need a trademarked logo in SVG Tiny PS format. Some providers (Apple Mail, Yahoo) show logos without a VMC.
VMC (Verified Mark Certificate) has expired.
Renew your VMC through DigiCert or Entrust. VMCs are typically valid for 1 year. Update the a= URL in your BIMI TXT record if the certificate URL changed.
Additional checks for domain deliverability and reputation.
Domain is a known disposable/temporary email provider.
This domain is used for throwaway signups. Emails sent here are never read and addresses expire quickly. Remove these from your outreach lists. This is a receiving-mode check — it applies to prospect domains, not your sending domain.
Domain does not resolve (NXDOMAIN).
The domain does not exist in DNS. No website, no email, no services. Remove from your outreach list. If this is your own domain, check that your DNS records are properly configured and the domain registration hasn't expired.
No website found at this domain.
Domains used for cold email should ideally have a website. A blank domain can look suspicious to recipients who click through to verify your company. Consider setting up a simple landing page.