
Your letter grade, checklist, and what to fix first — so you know how exposed your business is.
Your grade shows how easily scammers could abuse your domain in email. A or B means your customers are well protected. C means partial coverage — some fakes could still get through. D or F means urgent gaps that could cost you money or trust.
We count three essentials: fake-email blocking policy, approved senders list, and email signature verification. Brand logo in inbox (BIMI) is optional and does not affect your grade.
Each row is one layer protecting your business — not your overall safety in one lump sum.
At risk or Needs work means scammers could exploit that gap. Protected means you're covered there.
The highlighted priority item is usually the biggest impersonation risk. For many domains, that is a missing or monitor-only DMARC policy. Share the report with your IT provider or DNS host and ask them to implement the missing piece.
DNS updates can take hours to propagate. Re-run the check the next day to confirm the grade improved.
The approved sender list (SPF) and the fake-email blocking policy (DMARC) do different jobs. SPF controls which servers may send as your domain. DMARC tells receivers what to do when a message fails authentication — without it, fake invoices can still reach inboxes. DKIM also helps prove messages are authentic.
Those are two different checks. Your sender list may block unauthorized servers, but without a blocking policy, mail that fails authentication can still be delivered. The checklist labels each layer so you can see which one is missing.