SPFFailing01 / 05
(no v=spf1 record published)
The issue
No SPF record found. Receiving servers have no list of who may send for this domain, so nothing legitimate can prove it belongs.
If left unfixed
Anyone can send as your domain, and your real bulk mail has no baseline to align to. Gmail and Yahoo throttle or spam it the moment you send at volume.
SPF · 12 / 10 lookupsFailing02 / 05
v=spf1 include:_spf.a.com include:_spf.b.com include:mail.c.net include:relay.d.io ~all
The issue
The include chain crosses the 10-DNS-lookup limit (RFC 7208). SPF returns a PermError and fails authentication for every message from the domain.
If left unfixed
Every message from every platform fails SPF silently, with no inbox-side notice. Add one more sending tool and healthy mail starts getting filtered overnight.
DKIM · selectorNeeds work03 / 05
google._domainkey.yourdomain.com → no key (DKIM is selector-specific)
The issue
No DKIM key at the selector checked. DKIM is selector-specific, so a healthy domain can look broken if the wrong selector is audited. The real one lives in the s= value of a sent message's headers.
If left unfixed
Without a signing selector, forwarded mail can't stay aligned, and at DMARC enforcement it gets rejected. It's also the most misread result on any checker.
DMARC · p=noneNeeds work04 / 05
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
The issue
Policy is p=none: monitoring only. Records are read but failures are never acted on, which falls short of the Gmail and Yahoo bulk-sender enforcement minimum.
If left unfixed
Anyone can spoof your domain and DMARC won't stop it, and you fail the bulk-sender requirement. Move to p=quarantine once your legitimate mail aligns.
BIMI · MTA-STSOptional05 / 05
(no v=BIMI1 / v=STSv1 record; never affects your grade)
The issue
The optional hardening layer isn't present. Absence never lowers your grade, but presence signals a mature, deliberately configured sender.
Worth doing once core is enforced
BIMI puts your verified logo beside your name in the inbox; MTA-STS forces inbound mail over encrypted TLS. Layer them on after SPF, DKIM, and DMARC are at enforcement.