🔒 OSH.co.za Domain Deliverability Checker

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is on your approved list.

Without SPF: Anyone can send email pretending to be you. Spam filters will treat your legitimate emails with suspicion, and phishers can impersonate your domain to deceive your customers and partners.

Common SPF mistakes to avoid:

• Too many DNS lookups — SPF allows a maximum of 10 DNS lookups. Exceeding this causes a "PermError" and your emails may fail authentication.
• Using +all — This allows any server to send as you. Always use ~all (softfail) or -all (hardfail).
• Forgetting third-party senders — If you use marketing tools, CRMs, or transactional email services, their sending servers must be included in your SPF record.

Use the free scanner above to check your SPF record, count your DNS lookups, and identify any issues. OSH.co.za can help you build and maintain a correct SPF record for complex sending setups.

DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to every outgoing email. The receiving server looks up a public key in your DNS records and uses it to verify the signature — proving the email genuinely came from your domain and was not altered in transit.

How it works in practice:

1. Your mail server signs outgoing messages with a private key
2. The public key is published as a DNS TXT record at selector._domainkey.yourdomain.com
3. Receiving servers fetch your public key and verify the signature
4. If the signature matches, the email passes DKIM — boosting deliverability and trust

Key things to know:

• Key size matters — Use 2048-bit keys. The older 1024-bit keys are considered weak and should be rotated.
• Multiple selectors — You can have multiple DKIM keys (selectors) active at once, which is useful when rotating keys or using multiple sending services.
• ESPs set it up for you — Email providers like Google Workspace, Microsoft 365, and SendGrid provide DKIM keys you publish in your DNS.

Our scanner checks 500+ DKIM selectors from 100+ email providers automatically. If your DKIM isn't detected, OSH.co.za can help identify and configure the correct selectors for your mail platform.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the final layer of email authentication. It tells receiving servers what to do when an email fails SPF or DKIM checks, and sends you reports showing exactly who is sending email as your domain.

The three DMARC policy levels:

• p=none — Monitor only. No emails are blocked. Use this first to collect reports and understand your email flows before enforcing anything.
• p=quarantine — Suspicious emails go to spam. Failing emails are delivered to the junk folder rather than the inbox. A good intermediate step.
• p=reject — Full protection. Emails that fail DMARC are rejected outright. Spoofed emails never reach your recipients.

Recommended rollout path: Start at p=none with a reporting address (rua=). Review reports for 2–4 weeks to confirm all your legitimate sending services pass SPF and DKIM. Then move to p=quarantine, and finally p=reject.

DMARC is now required by Google and Yahoo for anyone sending more than 5,000 emails per day. Even if you send less, having DMARC significantly improves deliverability and protects your brand reputation.

The scanner above analyses your DMARC policy, alignment settings, and reporting configuration. Need help interpreting your DMARC reports or advancing your policy? OSH.co.za provides DMARC monitoring and implementation services.

Emails land in spam for several reasons. The most common causes — and how to fix them:

• Missing or broken SPF/DKIM/DMARC — The #1 cause. Without these, spam filters don't trust your email. Run the scanner above to check.
• IP or domain on a blacklist — Your sending IP may have been listed on an RBL (Realtime Blacklist). Our scanner checks 12+ blacklists and provides delisting links.
• No reverse DNS (PTR record) — Your mail server's IP should resolve back to a hostname that matches the sending domain. Missing PTR records are a major spam trigger.
• Spam complaint rate too high — If too many recipients mark your emails as spam, providers like Gmail will start filtering your messages. Keep complaint rates below 0.1%.
• Sending from a free domain — Emails from @gmail.com or @yahoo.com as a From address via a business mail server often fail DMARC alignment.
• Content triggers — Certain words, excessive images, misleading subject lines, or broken HTML can activate spam filters regardless of authentication.
• No unsubscribe link — Required for bulk senders since 2024. Missing one-click unsubscribe can cause deliverability penalties.

Start with a free scan above — it will identify authentication gaps, blacklist listings, and reputation issues. If problems persist after fixing the identified issues, OSH.co.za can perform a full deliverability audit and remediation.

From February 2024, Google (Gmail) and Yahoo enforced strict requirements for anyone sending more than 5,000 emails per day. Microsoft followed with similar guidance. Non-compliance results in emails being rejected or spam-foldered.

The mandatory requirements are:

• Valid SPF record — Your sending IP must be authorised in your domain's SPF record.
• Valid DKIM signature — Emails must be signed with DKIM using a 2048-bit key.
• DMARC policy — A DMARC record must exist at minimum p=none. Google recommends moving toward enforcement.
• Matching From domain — The domain in the From address must align with either SPF or DKIM (DMARC alignment).
• One-click unsubscribe — Marketing emails must support RFC 8058 List-Unsubscribe and honour requests within 2 days.
• Spam rate below 0.3% — Maintain spam complaint rates below 0.1% to stay in good standing; above 0.3% triggers enforcement actions.
• Valid PTR record — Your sending IP must have a valid reverse DNS record.

These rules apply to all senders, not just bulk. Even if you send fewer than 5,000 emails per day, meeting these requirements is considered best practice and improves deliverability for everyone.

Our Bulk Sender Compliance Checklist (shown in the scan results above) evaluates your domain against all of these requirements. OSH.co.za can help you achieve full compliance quickly.

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that tells sending mail servers they must use TLS encryption when delivering email to your domain. Without it, a man-in-the-middle attacker could intercept emails in transit by forcing a downgrade to an unencrypted connection.

The three MTA-STS policy modes:

• enforce — Sending servers must establish a TLS connection or they won't deliver the message at all. Maximum protection.
• testing — TLS is attempted, but failures are only reported (not blocked). Ideal for monitoring before enforcing.
• none — The policy exists but is inactive. Useful as a placeholder during setup.

MTA-STS requires two things:

1. A DNS TXT record at _mta-sts.yourdomain.com with v=STSv1; id=YYYYMMDDHHMMSS;
2. A policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over a valid HTTPS connection

MTA-STS works best alongside TLS-RPT, which sends you reports about TLS delivery failures so you can monitor before switching to enforce mode.

While not currently mandatory, MTA-STS is strongly recommended for any domain that receives sensitive email. Our scanner checks both the DNS record and the policy file. Need help setting it up? OSH.co.za can configure MTA-STS for your domain.

TLS-RPT (TLS Reporting) is a DNS record that instructs sending mail servers to send you daily reports whenever they encounter TLS connection failures while trying to deliver email to your domain. It complements MTA-STS by giving you visibility into encryption problems before they affect delivery.

Why TLS-RPT matters:

• Reveals expired or misconfigured TLS certificates on your mail servers
• Essential when running MTA-STS in testing mode — you see failures without blocking mail
• Helps diagnose why emails from specific senders aren't arriving
• Reports are in JSON format and can be processed by reporting services

How to add it: Create a DNS TXT record at _smtp._tls.yourdomain.com with:

You can also point rua to an HTTPS endpoint if you use a reporting service.

TLS-RPT adds +4 points to your deliverability score and is a quick win for any domain. OSH.co.za can set up TLS reporting and help you interpret the results.

BIMI (Brand Indicators for Message Identification) is an email standard that displays your company logo next to your emails in supporting inboxes — including Gmail, Yahoo Mail, Apple Mail, and Fastmail. It provides instant brand recognition and signals to recipients that the email is genuine.

Requirements for BIMI:

• DMARC at p=quarantine or p=reject — p=none is not sufficient. You must be actively enforcing DMARC.
• SVG logo file — Must be in a specific SVG Tiny PS format, hosted at a public HTTPS URL.
• VMC certificate (for Gmail) — Gmail requires a Verified Mark Certificate (VMC) issued by a CA like DigiCert or Entrust. This verifies your logo is trademarked and associated with your brand.
• BIMI DNS record — A TXT record at default._bimi.yourdomain.com pointing to your logo URL and VMC.

Note: Yahoo Mail and some others display BIMI logos without requiring a VMC. Gmail requires the VMC for logo display.

BIMI is an advanced feature that builds on a fully configured SPF, DKIM, and DMARC setup. If you're ready to implement BIMI or want to get your logo appearing in Gmail, OSH.co.za can guide you through the full process.

An email blacklist (or RBL — Realtime Blackhole List) is a database of IP addresses or domains known to send spam. Mail servers check these lists when deciding whether to accept incoming email. Being listed can cause your emails to be rejected or spam-foldered across thousands of mail servers simultaneously.

Common reasons for blacklisting:

• Your server was compromised and used to send spam
• High spam complaint rates from your email campaigns
• Sending to spam trap addresses (old or never-used email addresses)
• A previous owner of your IP address had a poor reputation
• Misconfigured mail server with an open relay

How to get removed:

1. Identify why you were listed — fix the root cause first (compromised server, spam complaints, etc.)
2. Use our scanner above — it checks 12+ blacklists and provides direct delisting request links for each
3. Submit delisting requests — most blacklists will review and remove within 24–48 hours if the issue is resolved
4. Monitor regularly — set up alerts or re-scan weekly to catch future listings early

Some blacklists (like Spamhaus) require the underlying issue to be fixed before they will delist. If you're struggling with persistent blacklisting or need help identifying the root cause, OSH.co.za offers blacklist remediation services.

Your domain's deliverability score reflects how well-configured your email authentication and security records are. Our tool scores your domain out of 100 based on SPF, DKIM, DMARC, reputation, and modern standards like MTA-STS and TLS-RPT.

Score breakdown:

• SPF (up to 15 points) — Valid record with proper ~all or -all modifier
• DKIM (up to 20 points) — At least one valid selector found; bonus for multiple selectors
• DMARC (up to 30 points) — Valid policy; higher scores for quarantine and reject
• Reputation (up to 25 points) — Clean IP and domain blacklist checks, valid PTR record
• Modern Standards (up to 10 points) — MTA-STS in enforce mode (+6), TLS-RPT configured (+4)

Score tiers:

• 🟢 90–100 — Excellent. Ready for high-volume sending.
• 🟡 70–89 — Good. Minor improvements recommended.
• 🟠 50–69 — Fair. Address issues before bulk sending.
• 🔴 Below 50 — Poor. Significant deliverability risk.

Run the free scan above to get your current score and a prioritised list of improvements. For a professional deliverability audit and hands-on remediation, contact OSH.co.za — we specialise in email authentication and deliverability for South African and international businesses.