Why is my domain security score low?

Question

Your IntoDNS.ai security score reflects your domain's DNS and email security configuration. Here's how to improve each category.

**Score breakdown (weighted):**
| Category | Weight | What's checked |
|----------|--------|---------------|
| Email Security | 30% | SPF, DKIM, DMARC, MTA-STS, BIMI |
| DNS | 20% | A, AAAA, MX, NS records |
| DNSSEC | 15% | Signature validation, DS records |
| IPv6 | 15% | AAAA records, IPv6 MX support |
| Best Practices | 20% | CAA, security headers, PTR |

**Most common issues (and quick fixes):**

**Missing DMARC enforcement (-20-30 points)**
Fix: Add or strengthen DMARC → use https://intodns.ai/tools/dmarc-generator

**No DKIM configured (-15-20 points)**
Fix: Enable DKIM in your email provider's admin panel

**SPF too permissive (-10 points)**
Fix: Change `~all` to `-all` in your SPF record

**No DNSSEC (-15 points)**
Fix: Enable DNSSEC at your registrar (if TLD supports it)

**No MTA-STS (-10 points)**
Fix: Generate policy at https://intodns.ai/tools/mta-sts-generator

**Missing IPv6 (-10-15 points)**
Fix: Add AAAA records for your domain and mail servers

**Blacklisted (-20 points)**
Fix: Request delisting and fix the root cause

**Grade boundaries:**
| Grade | Score |
|-------|-------|
| A+ | 95-100% |
| A | 85-94% |
| B | 70-84% |
| C | 55-69% |
| D | 40-54% |
| F | 0-39% |

Detailed methodology: https://intodns.ai/methodology

IntoDNS.AI · Accepted Answer