Back to Blog
Email Deliverability

Tools to Audit Email Authentication Setup: Full Comparison

IntoDNS.AI TeamApril 19, 2026
Three-tier comparison matrix: Basic, Advanced, Enterprise email authentication audit capabilities

“Recommend a tool to audit my email authentication setup” is one of the most-asked questions in IT forums in 2026, and the answers are almost always incomplete. Someone points at a free SPF checker, someone else at a DMARC dashboard, a third person at a command-line one-liner — and the poster ends up with a patchwork that misses the exact failure mode that will bite them in production. A proper email authentication audit is not a single check; it is a layered assessment with specific features that matter and specific features that don’t. This guide is the deeper-dive companion to our toolkit overview: what an audit should actually include, how to compare tools feature-by-feature, and a decision framework you can apply in the next ten minutes. At IntoDNS.ai we’ve scanned thousands of domains; the patterns below come directly from that data.

What an email authentication audit must include

An audit that covers only SPF is useless. An audit that covers SPF and DKIM is incomplete. A defensible audit in 2026 checks eight distinct things, and you can use this as a minimum feature list for any tool you’re evaluating.

1. SPF syntax, alignment and recursive lookup count

Beyond “does a record exist,” an audit must parse the record against RFC 7208, count nested lookups recursively (the hard 10-lookup cap), detect the deprecated ptr mechanism, flag multiple SPF records on the same domain, and evaluate the terminating qualifier. Ending with ~all when -all is appropriate is a finding, not a warning to ignore.

2. DKIM selector discovery and key strength

A tool that accepts a selector as manual input is half a tool. A real audit discovers selectors by querying a list of common names (default, google, selector1, k1, mailo, s1024, mandrill, mta, ESP-specific patterns, and — critically — any selectors observed in recent mail to a seed mailbox), then validates each key against RFC 6376: key length, algorithm (RSA-SHA256 or Ed25519; RSA-SHA1 is a finding), not-revoked (empty p=), and properly formatted (no stray whitespace in Base64).

3. DMARC record parsing, policy, and alignment

The RFC 7489 record at _dmarc must parse cleanly. Audit output should tell you: policy (p=), subdomain policy (sp=), percentage (pct=), alignment mode for DKIM (adkim) and SPF (aspf), aggregate (rua) and forensic (ruf) reporting URIs, and failure reporting options. Soft findings: p=none kept indefinitely “just to be safe”; pct=100 assumed when omitted (correct) vs. explicitly set to a lower value; reporting mailbox on the same domain with broken MX.

4. BIMI and VMC/CMC certificate validation

For senders using BIMI, an audit should verify the default._bimi TXT record points to an accessible SVG Tiny 1.2 PS logo (not SVG 1.1 or SVG 2.0 — those are non-compliant), validate the certificate chain if a VMC or CMC is referenced, and confirm DMARC is enforced at p=quarantine or p=reject (a BIMI prerequisite).

5. MTA-STS and TLS-RPT

Covered in RFC 8461 and RFC 8460 respectively. A modern audit pulls the policy file over HTTPS, validates the version, mode, mx, and max_age fields, compares against the _mta-sts TXT record’s id, and checks TLS-RPT reporting endpoint syntax.

6. MX host TLS posture

Every MX should present a valid certificate covering the MX hostname (not just the organisational domain), negotiate TLS 1.2 or higher, and offer modern ciphers. Missing or self-signed certificates on port 25 break MTA-STS enforce mode and will start bouncing mail from strict receivers.

7. DNSBL and reputation

A reputation-aware audit checks both the sending IPs (Spamhaus ZEN, SpamCop, Barracuda, SORBS, Mailspike, UCEPROTECT, etc.) and the organisational domain (Spamhaus DBL, SURBL, URIBL). An authenticated domain on a blacklisted IP is still a delivery problem.

8. DNSSEC where the TLD supports it

Email authentication lookups happen over DNS, and a tampered DNS response can break every layer above. RFC 4033 DNSSEC validation is table stakes for domains on DNSSEC-capable TLDs. Not every TLD supports DNSSEC at the registry (.ai, for example, does not), so “no DS record” is a finding only where remediation is possible.

Feature matrix: what to compare

When you’re evaluating tools, build a matrix with these rows. Free spot-checkers usually cover the first three or four; commercial platforms add the rest. The exact column-by-column comparison is something you should build for your own stack — but these are the attributes that actually separate toys from tools.

  • SPF recursive lookup counting — not just syntax but the effective lookup total. A surprising number of tools don’t do this, and it’s the #1 silent SPF failure.
  • DKIM selector auto-discovery — common-name probing plus optional header parsing from a test message. Manual selector entry only is a red flag.
  • DMARC policy evaluation at org vs subdomain — does the tool correctly resolve the organisational domain and check inherited policy? Getting this wrong produces false negatives on subdomains.
  • BIMI logo & VMC validation — SVG Tiny 1.2 PS compliance (not just “is it SVG”), certificate chain trust, DMARC-enforcement prerequisite check.
  • MTA-STS / TLS-RPT — fetches the policy file, validates id alignment, reports on mode=enforce vs testing.
  • MX TLS certificate inspection — connects on port 25 with STARTTLS, reports chain, protocol floor, and SAN coverage.
  • DNSBL coverage — how many zones, both IP-based and domain-based. 10 zones is a demo; 40+ is production.
  • DNSSEC chain validation — full trust anchor to zone, not just “DS record exists.”
  • DMARC aggregate report processing — ingesting rua= XML, grouping by source and authentication result, tracking compliance over time.
  • Continuous monitoring & alerting — re-scans at intervals, alerts on drift.
  • Output formats — JSON for automation, PDF for audit trail, dashboards for day-to-day.
  • API / CI integration — can the tool run in a pipeline as part of DNS-as-code, or is it a human-only GUI?
  • Authentication model — public scanner (no login), self-serve free tier, enterprise SSO.

The decision framework: five questions, three answers

Don’t start from the tool. Start from the job. Five questions get you to the right category.

Question 1: Who is running the audit?

If the answer is a developer or sysadmin who needs a quick answer right now, you want a free web scanner. If it’s a deliverability engineer managing 50+ domains, you want a platform with a dashboard and aggregate report processing. If it’s a compliance team producing quarterly attestations, you want output that generates a signed PDF and maps findings to NIS2 or PCI DSS controls.

Question 2: How many domains are in scope?

One domain: free scanner is enough. Five to twenty: platform with monitoring. Fifty or more: API-first tooling, DNS-as-code integration, and scheduled jobs — a human clicking through web forms doesn’t scale.

Question 3: Is this one-off or continuous?

One-off audits (due diligence, M&A, incident response) can be done with on-demand scanners. Continuous compliance (ISO 27001, SOC 2, NIS2, PCI DSS 4.0) needs scheduled scans with drift detection and historical reporting.

Question 4: Do you need DMARC aggregate report processing?

If you’re at p=none and want to move safely to p=reject, yes — without a processor the rua= XML is unreadable. If you’re already at p=reject with known-good senders, a periodic audit is enough.

Question 5: What’s your integration appetite?

Some teams want a GUI and a weekly email; others want JSON in a CI pipeline and alerts in PagerDuty. The same tool rarely serves both extremes well — pick for your actual workflow, not the demo.

Map your answers to three archetypes:

  • Archetype A: “One domain, one-off, no budget.” Free public scanner that covers all eight layers above. IntoDNS.ai fits here — paste in a domain, get a full report covering SPF, DKIM, DMARC, BIMI, MTA-STS, MX TLS, reputation, and DNSSEC in seconds, no account required.
  • Archetype B: “Ten-plus domains, continuous, compliance-adjacent.” A platform with scheduled scans, drift alerts, DMARC aggregate report ingestion, and PDF export. Budget expectation: four figures per year.
  • Archetype C: “Hundreds of domains, engineering-driven, CI-integrated.” API-first tooling, DNS-as-code (OctoDNS, dnscontrol, Terraform), audit lint gates in CI, telemetry into your observability stack. Often a combination of a free scanner for human checks and a commercial API for automation.

What a good audit report looks like

Regardless of tool category, the output should be actionable. A usable report has three sections:

Findings, prioritised

Each finding states the rule (“SPF record includes ptr mechanism”), the reference (RFC 7208 §5.5), the current value, the recommended value, and the severity. Low-severity advisory findings must be visually distinct from deliverability-breaking issues.

Remediation, with exact records

Don’t say “set DMARC to reject.” Give the exact TXT record:

_dmarc.yourdomain.com.  3600  IN  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=s; aspf=s; fo=1"

Good tools also give the dig command to verify after publishing:

$ dig +short txt _dmarc.yourdomain.com
"v=DMARC1; p=reject; rua=mailto:[email protected]; ..."

Compliance mapping

Map findings to the frameworks that matter to your audience: NIS2 Article 21 technical measures, PCI DSS 4.0 requirements 5.4.1 and 12.5, Gmail/Yahoo bulk-sender rules, CIS Controls v8. A finding with no framework tie is easy to de-prioritise; a finding that reads “PCI DSS 4.0 §5.4.1 non-compliant” gets fixed.

Red flags when evaluating tools

A few patterns we see in weak tools:

  • Only one of the eight layers covered. A tool that only checks DMARC (or only SPF) is not an audit tool, it’s a spot-checker.
  • Manual DKIM selector entry with no discovery. If you have to know the selector to check it, the tool doesn’t help you find the one you don’t know about.
  • No recursive SPF lookup counting. The 10-lookup cap is the most common silent failure in SPF. A tool that reports “SPF syntax valid” while the record is at 12 effective lookups is actively misleading.
  • “Score” without findings. A grade of B+ tells you nothing about what’s broken. Good tools score and list the specific records, lines, and remediation.
  • No DNSSEC awareness. DNSSEC either validates or it doesn’t, and an email audit that ignores DNSSEC is one BGP hijack away from irrelevance.
  • Closed export formats. PDF-only output without JSON means the tool is an island. Audit output should be machine-readable for automation.

Common pitfalls when running the audit

A few operational mistakes neutralise even the best tool selection; avoid them.

Auditing only the primary sending domain

Attackers do not spoof yourdomain.com if it is locked down; they spoof newsletter.yourdomain.com, billing.yourdomain.com, or a long-forgotten careers.yourdomain.com that still resolves. Every subdomain capable of sending mail needs its own record review, and every organisational domain needs a catch-all sp=reject DMARC policy to cover subdomains that have no explicit record.

Treating DMARC rua as the finish line

Publishing an aggregate reporting address is the start of the DMARC journey, not the end. The reports themselves are XML, arrive in volume, and are unreadable without processing. Tools that merely confirm a rua= address exists are missing the point — the value is in analysing the reports over weeks and iteratively eliminating alignment failures until p=reject can be enabled safely.

Auditing in isolation from operations

An audit finding that never reaches the engineers who can fix it is wasted work. Connect the tool output to the same ticketing and on-call system that handles production incidents, with explicit ownership and an SLA. Findings that sit in a dashboard for six months are a leading indicator that the next audit will produce the same list.

Apply the framework today

Start with one domain and a free public scanner that covers all eight layers. Scan your domain on IntoDNS.ai right now and you’ll get a concrete, prioritised list of findings with exact RFC references and exact remediation records — no login, no paywall. That output is enough to resolve the easy 80% of issues this week. For the remaining 20% — multi-domain environments, continuous compliance, DMARC aggregate analysis — use the feature matrix and decision framework above to pick a platform that matches your actual workflow, not the demo video. Tools are easy to change. The record you publish in DNS today is going to be answering queries for the next year; get that right first, and the rest is refinement.

Share this article