Free Email Deliverability Checker

SPF (Sender Policy Framework) is like a "guest list" for your domain. It's a record in your DNS that tells the world which servers are allowed to send email on your behalf. When you send an email, the receiving server checks this list to make sure the sender is authorised.

Without SPF: Anyone can send an email pretending to be from your domain. Spam filters often block these emails because they can't verify who really sent them, and phishers can easily impersonate your business to trick your customers.

Common SPF mistakes:

• Too many "lookups": You're only allowed to list 10 different services. If you exceed this, your SPF record breaks.
• Using +all: This basically tells the world "anyone can send as me," which defeats the purpose of having a record.
• Forgetting services: If you use tools like Mailchimp, Xero, or a CRM, they must be included in your SPF list.

Use our free scanner above to check if your record is valid and see if you're close to the 10-lookup limit. If your setup is complex, use our free SPF Builder to generate a clean, validated record.

DKIM (DomainKeys Identified Mail) is like a "digital wax seal" for your emails. It adds a hidden cryptographic signature to every message you send. The receiving server uses this to confirm that the email really came from you and wasn't tampered with while travelling across the internet.

How it works:

1. Your mail server "stamps" outgoing mail with a private key.
2. You publish a matching public key in your DNS records.
3. The receiver checks the "stamp" against your public key.
4. If they match, the email is trusted and much more likely to reach the inbox.

Key things to know:

• Security level: Modern systems use 2048-bit keys. Older 1024-bit keys are now considered weak and should be updated.
• Multiple keys: You can have different keys (called "selectors") for different services, like one for Gmail and one for your newsletter.

Our scanner automatically checks hundreds of common keys to see if yours is working. Use our DKIM Checker to scan your domain's selectors directly.

DMARC is the "instruction manual" for your domain's security. It tells receiving servers exactly what to do if they receive an email that fails SPF or DKIM checks. It also asks them to send you a report so you can see who is trying to use your domain.

The three levels of protection:

• p=none: Monitor only. No emails are blocked. This is the "safe" starting point to see what's happening.
• p=quarantine: Send to spam. If an email looks fake, it's hidden from the recipient's main inbox.
• p=reject: Full block. Fake emails are deleted before they ever reach the recipient. This is the ultimate goal for security.

The right way to do it: Don't start at "reject" or you might block your own legitimate mail. Start at "none," check your reports for a few weeks to make sure everything is authorised, and then slowly move up to full protection.

Our scanner will show you your current policy level and if your reporting is set up correctly. Use our DMARC Builder to generate the right record for your policy level.

Emails go to spam for many reasons, but it usually comes down to trust. Here are the most common trust issues:

• Broken authentication: If SPF, DKIM, or DMARC are missing or wrong, servers don't trust you. Run our scanner to find these gaps.
• Blacklisting: Your server might be on a "naughty list" because of previous spam activity. We check 12+ blacklists for you.
• No "Reverse DNS": Your server needs a valid identity that matches your domain. Without it, you look like a spammer.
• High complaint rates: If too many people click "Report Spam," providers will start filtering all your mail. Keep your list clean!
• Content triggers: Using excessive images, misleading subject lines, or missing an unsubscribe link can trigger automated filters.

Start with a free scan above. It identifies the technical reasons you might be struggling, including your blacklist status, SPF record, and DKIM setup.

Google and Yahoo started enforcing strict authentication rules in February 2024. Microsoft followed in May 2025 with the same rules for mail to Outlook.com, Hotmail and Live. The threshold is the same in both cases: 5,000+ messages a day. Miss any of the requirements and your mail will get filtered to junk or rejected outright (Microsoft uses the bounce code 550 5.7.515).

The mandatory rules are:

• Authenticate: You must have valid SPF and DKIM records.
• Security Policy: You must have a DMARC record (even if it's just p=none).
• Alignment: Your "From" address must match your authenticated domain.
• One-Click Unsubscribe: Marketing emails must include a simple way for users to opt out.
• Low Spam Rates: You must keep your spam complaint rate below 0.1%.

While these rules are technically for "bulk senders," they are now considered the gold standard for all email and will improve your delivery rates regardless of how much you send.

Our Compliance Checklist above checks your domain against these rules instantly. Use our SPF Checker, DKIM Checker, and DMARC Builder to get compliant quickly.

MTA-STS is like an "encrypted tunnel" for your email. It tells other mail servers that they must use a secure, encrypted connection to talk to you. This prevents hackers from intercepting your emails by forcing them into plain text (an attack called "downgrading").

The three levels of security:

• enforce: Servers must use encryption or the email won't be delivered. This is the highest level of protection.
• testing: Servers try to use encryption and report any problems, but the email still goes through even if it fails.
• none: Encryption isn't enforced.

Do you need it? While not mandatory like SPF, it's becoming a standard for businesses that care about privacy. It works best when paired with TLS Reporting (TLS-RPT) so you can monitor for any connection issues.

Check yours with our MTA-STS Checker, and pair it with TLS-RPT to monitor for any connection issues.

TLS-RPT is like a "daily health report" for your email encryption. It asks other mail servers to send you a summary if they had trouble connecting to you securely. This helps you catch expired security certificates or network issues before they start blocking your mail.

Why it helps:

• It alerts you if your security certificates are broken or misconfigured.
• It's essential if you want to move to a secure MTA-STS policy.
• It helps you understand why emails from certain senders might be failing.

Setting it up is simple: you just add a small text record to your DNS that includes your email address for reports.

Adding TLS-RPT boosts your deliverability score on our scanner. Check your current record with our TLS-RPT Checker, and make sure your MTA-STS policy is in place too.

Getting your logo in the inbox (like you see with big brands in Gmail) is done using BIMI. It gives your emails instant brand recognition and acts as a "verified" badge, showing recipients that the email is definitely from you.

What you need for BIMI:

• Strict Security: Your DMARC policy must be set to "quarantine" or "reject".
• A Special Logo File: Your logo must be in a specific format (SVG Tiny PS).
• A Certificate (VMC): To show up in Gmail, you usually need a "Verified Mark Certificate," which is like a digital ID card for your logo.

Note: Some providers like Apple and Yahoo will show your logo without the expensive VMC certificate, but Gmail currently requires it.

BIMI is the "gold standard" for fully secured domains. Check if yours is configured with our BIMI Checker. You'll need a strict DMARC policy first.

A blacklist (or RBL) is a database of servers known for sending spam. If your sending server ends up on one of these lists, your emails will be blocked or sent to spam across thousands of providers at once.

Why do servers get blacklisted?

• Your server was hacked and used to send spam without your knowledge.
• You are sending emails to "spam traps" (fake addresses used to catch spammers).
• Too many recipients are clicking "Report Spam" on your emails.
• Your server is misconfigured as an "open relay" that anyone can use.

How to get removed: First, find and fix the reason you were listed. Then, use our scanner above to find the direct removal links for each blacklist provider. Most will remove you within 24-48 hours once the issue is resolved.

Use our Blacklist Checker to find which lists you're on and get direct removal links. Fixing your SPF and DKIM records before requesting removal improves your chances of staying off.

Your deliverability score is a health check for your domain's reputation. Our tool calculates this score out of 100 based on your authentication setup, security records, and server reputation.

What makes up your score:

• SPF & DKIM: The foundation. Having these correctly set up is essential.
• DMARC: You get more points for having a strict "quarantine" or "reject" policy.
• Reputation: Your score drops if you are blacklisted or have broken server records.
• Modern Standards: Bonus points for having advanced tools like MTA-STS and TLS-RPT.

What the scores mean:

• 🟢 90+: Excellent. You have the best possible chance of reaching the inbox.
• 🟡 70-89: Good, but there are some minor security gaps to close.
• 🔴 Below 50: High risk. Your emails are likely being blocked or sent to spam.

Run a free scan above to see your score and get a step-by-step list of how to improve it. Contact OSH.co.za for a professional audit.