Understanding your check results

Your letter grade, checklist, and what to fix first — so you know how exposed your business is.

Your letter grade (A–F)

Your grade shows how easily scammers could abuse your domain in email. A or B means your customers are well protected. C means partial coverage — some fakes could still get through. D or F means urgent gaps that could cost you money or trust.

Core protections (3 of 3)

We count three essentials: fake-email blocking policy, approved senders list, and email signature verification. Brand logo in inbox (BIMI) is optional and does not affect your grade.

What each Yes/No line means

Each row is one layer protecting your business — not your overall safety in one lump sum.

  • Approved sender list — Can unauthorized servers send mail as @yourdomain? Separate from whether fake mail still reaches your customers.
  • Email signature verification — Do your messages carry proof they really came from you?
  • Fake-email blocking policy — If checks fail, are your customers' inboxes told to reject mail claiming to be from you? This is why fake invoices can still arrive even when your sender list looks fine.

At risk or Needs work means scammers could exploit that gap. Protected means you're covered there.

Fix this first

The highlighted priority item is usually the biggest impersonation risk. For many domains, that is a missing or monitor-only DMARC policy. Share the report with your IT provider or DNS host and ask them to implement the missing piece.

After you make changes

DNS updates can take hours to propagate. Re-run the check the next day to confirm the grade improved.

Frequently asked questions

Why do I have SPF but still a low grade?

The approved sender list (SPF) and the fake-email blocking policy (DMARC) do different jobs. SPF controls which servers may send as your domain. DMARC tells receivers what to do when a message fails authentication — without it, fake invoices can still reach inboxes. DKIM also helps prove messages are authentic.

Why can fake mail still arrive if strangers can't send as my domain?

Those are two different checks. Your sender list may block unauthorized servers, but without a blocking policy, mail that fails authentication can still be delivered. The checklist labels each layer so you can see which one is missing.

Run another check