A small Node.js CLI that validates every email DNS authentication record — with recursive SPF lookup counting, automatic DKIM selector discovery and grading from A+ to F. Built by TrustYourWebsite as part of our compliance scanning suite.
npx @trustyourwebsite/dns-auth-check example.comRequires Node.js 18+. Want the full picture — security headers, cookies, GDPR consent, accessibility and more — across your entire site? Run a free scan at trustyourwebsite.com.
DNS Email Authentication Report
================================
Domain: example.com
Grade: B (74/100)
SPF Record:
✓ Record found: v=spf1 include:_spf.google.com include:amazonses.com -all
✓ Hard fail (-all) configured
✓ DNS lookup count: 4/10
✓ Record length: 68 bytes
DKIM Records:
✓ Found 1 DKIM selector(s): google
✓ Record found at google._domainkey.example.com
- Key type: RSA
✓ Key length: ~2048 bits
DMARC Record:
✓ Record found: v=DMARC1; p=none; rua=mailto:dmarc@example.com
⚠ Policy is "none" — DMARC is monitoring only, not blocking spoofed emails
✓ Reporting URI (rua) configured: mailto:dmarc@example.com
⚠ No subdomain policy (sp=) — subdomains inherit p=none
BIMI:
- No BIMI record found (optional)
MTA-STS:
- No MTA-STS record found (optional)
Issues (ordered by priority):
1. [HIGH] DMARC policy is "none" — monitoring only, not blocking spoofed emails
Fix: Change p=none to p=quarantine or p=reject after reviewing DMARC reports
2. [LOW] No subdomain DMARC policy (sp=) — subdomains inherit p=none
Fix: Add sp=reject to your DMARC record to protect subdomains
3. [INFO] No BIMI record — consider adding one for brand visibility in inboxes
Full website compliance scan → https://trustyourwebsite.comOnly Node's built-in node:dns and node:https. Security tooling should have minimal attack surface.
Probes 18 common selectors out of the box — Google, Microsoft 365, SendGrid, Resend, Mandrill, Proton, Zoho and more — or specify your own.
Doesn't just check that SPF exists. Recursively counts DNS lookups against the RFC 7208 limit of 10, flags +all, deprecated ptr and overly permissive ranges.
| Protocol | What we validate |
|---|---|
SPF | Record present, syntax, lookup count vs RFC 7208 limit, all qualifier, length, deprecated mechanisms |
DKIM | Auto-probes 18 selectors, key type (RSA / Ed25519), key length, revoked-key detection |
DMARC | Policy strength, subdomain policy, rua/ruf reporting URIs, percentage, alignment modes |
BIMI | Record at default._bimi, logo URL, VMC (Verified Mark Certificate) |
MTA-STS | TXT record and policy file fetch with mode validation |
MX (opt-in) | Record listing with priority, hostname resolution, provider identification (30+ providers) |
| Grade | Score | Meaning |
|---|---|---|
| A+ | 95–100 | Excellent — all protocols properly configured |
| A | 85–94 | Good — minor improvements possible |
| B | 70–84 | Fair — some important issues to fix |
| C | 55–69 | Poor — significant gaps in email auth |
| D | 40–54 | Bad — major security risks |
| F | 0–39 | Failing — email auth is essentially absent |
# GitHub Actions
- name: Check email DNS auth
run: npx @trustyourwebsite/dns-auth-check yourdomain.com --ci
Exit code 1 when critical or high-severity issues are found.
import { auditDNSAuth } from '@trustyourwebsite/dns-auth-check';
const result = await auditDNSAuth('example.com', {
dkimSelectors: ['google', 's1', 'default'],
checkMX: true,
timeout: 5000,
});
console.log(result.grade); // 'A+' | 'A' | 'B' | 'C' | 'D' | 'F'
console.log(result.score); // 0-100
console.log(result.spf.lookupCount); // recursive DNS lookup count
console.log(result.dkim.selectors); // per-selector results
console.log(result.dmarc.policy); // 'none' | 'quarantine' | 'reject'A real audit also covers HTTP security headers, cookie consent and GDPR, accessibility, TLS configuration and broken-link health — on every page of your site. TrustYourWebsite runs all of those automatically and gives you a single fix-it report.
Grade your website's HTTP security headers from A+ to F — HSTS, CSP, X-Frame-Options and more.
Verify cookie banners actually stop tracking when users click "Reject All".