Email Score: a beginner's guide

An email security grade is a single composite number (or A-to-F letter) that summarizes everything an automated audit found about a domain's email-authentication setup. Instead of asking a non-technical stakeholder to read seven different technical reports — SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, MX health — you give them a single grade and a one-paragraph executive summary. The grade rolls up the same underlying signals that any deliverability consultant would look at, but in a form that lands in a board meeting.

You should care because email security is one of the most jargon-heavy areas of IT, and that jargon is the main reason it gets neglected. A founder, a CMO, or a board member doesn't need to know the difference between `p=quarantine` and `p=reject` — they need to know whether email security is a problem worth investing in this quarter. A single letter grade, computed transparently from a defined methodology, is the bridge between the technical detail and the strategic decision. As a bonus, the grade gives you a number to track over time, which makes the impact of remediation work visible in a way that abstract "we improved a few things" updates do not.

The seven categories every email security grade rolls up:

• SPF — does it exist, is it valid, is it under the 10-lookup limit, does it end in `-all`?

• DKIM — is at least one selector publishing a strong key, and are outgoing messages actually being signed?

• DMARC — does it exist, is it at enforcement (`p=quarantine` or `p=reject`), is there a reporting address?

• BIMI — is it set up, and is the prerequisites chain (DMARC enforcement, SVG logo, optional VMC) complete?

• MTA-STS and TLS-RPT — is inbound mail protected against TLS downgrade?

• MX health — are the listed mail servers actually reachable, healthy, and not on public blocklists?

• DNSSEC at the parent zone — is the underlying DNS that all of this depends on protected from forgery?

Each category gets weighted (DMARC and SPF carry the most weight because they have the biggest deliverability impact; BIMI and TLS-RPT are bonuses) and the weighted average becomes the overall grade.

Three questions a single email security grade answers:

• At a glance, is our email security health getting better or worse over time?

• Which of the categories is dragging us down the most, so I know where to focus engineering effort?

• Is the work we've been doing on email authentication actually moving the needle?

The cost of not having a single grade is the slow accumulation of detailed reports that nobody on the leadership team actually reads. The fix is to roll up the existing detail into one number and one letter, computed the same way every time, and tracked on a recurring schedule. This is the difference between email security being a black box and email security being a measurable, accountable line item in the IT budget.

In one sentence: Rate email security ([SPF (Sender Policy Framework)](/guides/spf-record-setup-guide), [DKIM (DomainKeys Identified Mail)](/guides/security-dkim), [DMARC (Domain-based Message Authentication, Reporting and Conformance)](/guides/how-to-check-dmarc-record))

Calculates a comprehensive email security score (0-100) based on SPF (Sender Policy Framework) policy strength, DKIM (DomainKeys Identified Mail) key presence, DMARC (Domain-based Message Authentication, Reporting and Conformance) enforcement level, MX record (Mail eXchanger record) configuration, and email provider type. Returns a letter grade (A-F) with weighted breakdown of each component, grade description, and prioritized recommendations. Detects email provider type (enterprise, business, security gateway) from MX records for bonus scoring.

Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.

Here's what's actually happening behind the scenes when you call this endpoint:

Queries SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance), and MX records in parallel via Cloudflare DoH (DNS over HTTPS). Scores SPF based on record validity and policy mechanism (-all, ~all, ?all, +all). Scores DKIM based on key presence and estimated key strength (2048+ bit RSA or Ed25519 scores higher) across common selectors. Scores DMARC based on policy level (none/quarantine/reject), alignment, subdomain policy, and percentage coverage. Scores MX records for presence and backup redundancy. Detects email provider type and awards bonuses for enterprise (Google Workspace, Microsoft 365) or security gateway providers. Returns detected provider information, record presence flags (has_spf, has_dkim, has_dmarc, has_mx), weighted breakdown, and a letter grade.

If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.

Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Email Score tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.

Email security configuration directly impacts deliverability and phishing protection. A single composite score makes it easy to assess email security posture, compare domains, track improvements over time, and verify compliance with Google/Yahoo/Microsoft bulk sender requirements (2024-2025). Ideal for security dashboards, vendor risk assessments, and email deliverability troubleshooting.

Picture this in real life. Imagine a security manager. Here's the situation they're walking into: Establish email security baseline across all organization domains. Track progression from p=none to p=reject enforcement. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Email Score tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.

Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Email Score tool is built for you:

• Will the emails I send actually reach the inbox, or are they going to spam?

• Can someone else send phishing emails pretending to be my domain?

• Have I set up the three rulebooks (SPF, DKIM, DMARC) that mailbox providers now require?

You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.

Who gets the most out of this. Small-business owners worried about deliverability, marketing managers onboarding a new email service, IT admins prepping for a security audit, and brand teams protecting against phishing. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.

What happens if you skip this entirely. Skip it and your real emails risk landing in the spam folder while scammers find it easier to impersonate your brand. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.

If you're still on the fence about whether the Email Score tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security manager, a third-party risk, a email marketing, and an IT administrator — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.

Story 1: Email Security Baseline

Imagine you're a security manager. Establish email security baseline across all organization domains. Track progression from p=none to p=reject enforcement.

Why it matters: Track and report email security improvements to leadership with a single metric.

Story 2: Vendor Risk Assessment

Imagine you're a third-party risk. Evaluate vendor email security as part of due diligence process. Flag vendors with missing SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), or DMARC (Domain-based Message Authentication, Reporting and Conformance) that could be impersonated for phishing.

Why it matters: Identify vendors with weak email security that could pose phishing risk to your organization.

Story 3: Deliverability Troubleshooting

Imagine you're an email marketing. Diagnose why emails are landing in spam by checking email authentication score. Identify which components (SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance)) are dragging down the overall score.

Why it matters: Improve email deliverability by addressing specific authentication gaps with prioritized recommendations.

Story 4: Bulk Sender Compliance

Imagine you're an IT administrator. Verify email authentication meets Google, Yahoo, and Microsoft requirements for domains sending 5,000+ emails/day before enforcement deadlines.

Why it matters: Prevent email rejection by ensuring compliance with bulk sender authentication mandates.

Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Email Score tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:

• When setting up email on a brand-new domain.

• After signing up for a new email-sending service (Mailchimp, SendGrid, HubSpot, etc.).

• When a customer reports that your emails are landing in their spam folder.

• Before a security audit, a SOC 2 review, or a major marketing campaign.

If you can see yourself in even one of those bullets, the Email Score tool will pay for itself the first time you use it.

Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Email Score tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.

If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:

"Use the Email Score tool to check google.com and explain anything that looks wrong in plain language."

The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.

If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.

There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.

When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.

These tools pair naturally with Email Score. If you're already running this check, the related ones often answer the next question that comes up:

• SPF Check — Validate SPF record syntax, DNS lookups, and policy

• DKIM Check — Discover and validate DKIM signing keys

• DMARC Check — Analyze DMARC policy, alignment, and reporting

• BIMI Check — Validate brand logo configuration for email

• MTA-STS Check — Validate email transport encryption policy

If you're using an AI assistant through MCP (Model Context Protocol), you can ask it to run several of these in one go: "Check Email Score and the related tools for example.com and tell me what looks off."

If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.

MX record (Mail eXchanger record) — A DNS entry that tells the internet which servers handle email for your domain.

SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.

DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.

DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.