The security audit was routine until they checked the email infrastructure. SPF record with a syntax error that had been silently failing for months. DKIM key that was never rotated since initial setup three years ago. DMARC policy still set to p=none, providing monitoring but no protection. The domain had been spoofable the entire time.
Email security isn't glamorous, but it's critical. A misconfigured email domain is an open invitation for phishing attacks that impersonate your brand. The technical checks are straightforward—SPF, DKIM, DMARC, TLS configuration—but they're easy to get wrong and easier to forget about.
Security scanning tools automate these checks, catching misconfigurations before they become incidents.
Authentication scanners
MXToolbox is the Swiss Army knife of email diagnostics. Their SuperTool runs comprehensive checks against your domain: SPF record validation, DKIM key verification, DMARC policy analysis, MX record configuration, and blacklist status. Enter your domain, get a report of what's configured correctly and what needs attention.
The free tier handles basic checks; paid tiers add monitoring and alerts. For periodic security audits, the free checks are sufficient. For ongoing monitoring, the paid alerting catches problems as they develop.
DMARC Analyzer focuses specifically on email authentication. Beyond checking your current configuration, they analyze DMARC reports to show who's sending email as your domain—both legitimate services and potential spoofers. The visualization makes it easy to identify unauthorized senders.
Their tools help you progress from p=none (monitoring) to p=reject (enforcement) safely, identifying legitimate senders that need to be authorized before tightening the policy.
Dmarcian offers similar DMARC-focused analysis with excellent documentation. Their domain checker provides instant feedback on your authentication setup, and their platform processes DMARC reports into actionable insights. The educational content helps you understand not just what's wrong, but why it matters.
Mail Tester checks your actual emails, not just your domain configuration. Send an email to their test address, and they'll analyze it for authentication, spam triggers, and deliverability factors. The score from 1-10 provides a quick health check, with detailed feedback on specific issues.
It's particularly useful for testing that your application's emails are properly authenticated—configuration might be correct, but if your application isn't signing emails properly, authentication still fails.
TLS and encryption scanners
CheckTLS tests your mail server's TLS configuration. It attempts connections with various TLS versions and cipher suites, reporting what your server supports and what it should support. Weak ciphers, outdated protocols, and certificate issues all appear in the report.
TLS configuration evolves as vulnerabilities are discovered. What was secure three years ago might be vulnerable today. Regular scanning catches configuration drift before it becomes exploitable.
SSL Labs, while designed for web servers, can test mail server certificates. Their detailed analysis shows certificate chain issues, protocol support, and cipher strength. The grading system (A through F) provides a quick assessment of your TLS security posture.
Hardenize provides comprehensive security scanning including email-specific checks. Their free scan covers TLS configuration, authentication records, and security headers. The dashboard shows your security posture over time, tracking improvements and regressions.
Vulnerability scanners
For deeper security assessment, general-purpose vulnerability scanners can target email infrastructure.
Nmap with appropriate scripts can probe mail servers for known vulnerabilities, open relays, and misconfigurations. The smtp-commands and smtp-enum-users scripts specifically target email servers. This is more technical than the web-based tools but provides deeper insight.
OpenVAS (now Greenbone) includes checks for mail server vulnerabilities in its comprehensive scanning. If you're running self-hosted email infrastructure, regular vulnerability scanning is essential. OpenVAS is open source and thorough, though the learning curve is significant.
What to scan for
Authentication configuration is the foundation. SPF should list all legitimate sending sources and end with -all (hard fail). DKIM keys should be present and properly configured for all sending domains. DMARC should be published with a policy that matches your risk tolerance—ideally p=reject once you've verified all legitimate senders.
TLS configuration should support modern protocols (TLS 1.2 minimum, TLS 1.3 preferred) and strong cipher suites. Certificates should be valid, properly chained, and not expiring soon. DANE records, if implemented, should match your certificates.
MX records should point to servers you control or trust. Dangling MX records pointing to decommissioned servers are a takeover risk—attackers can claim the old server's IP and receive your email.
Blacklist status indicates reputation problems. Being listed on major blacklists (Spamhaus, Barracuda, etc.) affects deliverability and might indicate compromise. Regular checking catches listings early.
Open relay testing verifies your server doesn't accept and forward email from unauthorized senders. Open relays are quickly exploited for spam, destroying your reputation and potentially getting you blacklisted.
Building a scanning routine
One-time scans catch current problems; regular scanning catches drift and new issues.
Weekly: Check blacklist status. Listings can happen quickly after a compromise or spam complaint. Early detection limits damage.
Monthly: Run authentication checks (MXToolbox, DMARC Analyzer). Verify SPF, DKIM, and DMARC are still correctly configured. Check that no new sending services have been added without updating authentication records.
Quarterly: Full security scan including TLS configuration, certificate expiration, and vulnerability assessment. Review DMARC reports for unauthorized sending attempts.
After changes: Any time you modify email infrastructure—new sending service, server migration, DNS changes—run a full scan to verify nothing broke.
Automate what you can. Many scanning services offer APIs or scheduled scans with alerting. Automated monitoring catches problems faster than manual periodic checks.
Frequently asked questions
How often should I rotate DKIM keys?
Industry best practice suggests rotating DKIM keys every 6-12 months. Longer keys (2048-bit) can be rotated less frequently than shorter keys. The rotation process requires publishing the new key, updating your signing configuration, and keeping the old key published until in-flight emails are delivered.
What DMARC policy should I use?
Start with p=none to collect reports without affecting delivery. Once you've identified all legitimate senders and configured their authentication, move to p=quarantine. After confirming no legitimate email is being quarantined, move to p=reject for full protection. This gradual approach prevents blocking legitimate email.
Is my email server an open relay?
Test it: try sending email through your server from an unauthorized source to an external address. MXToolbox and similar tools include open relay tests. If your server accepts and forwards the email, it's an open relay and needs immediate remediation.
What do I do if I'm on a blacklist?
First, identify and fix the cause—compromised account, spam complaints, or misconfiguration. Then request removal from the blacklist (each has its own process). Monitor to ensure you don't get re-listed. Some blacklists remove listings automatically after the problem is resolved; others require manual requests.