Why is my domain security score low?

Domain scores — whether from IntoDNS.ai, sender-reputation platforms, or internal tools at mailbox providers — are composite numbers that reduce dozens of independent signals into a single 0-100 view. A low score is rarely caused by one catastrophic failure; it is usually the sum of several medium-impact issues. Understanding what goes into the score lets you diagnose and fix methodically instead of guessing.

The main input categories

Most reputable domain-scoring systems, including IntoDNS.ai, weight the following categories:

1. Email authentication (SPF, DKIM, DMARC) — usually 30-40% of the score.
2. DNS hygiene — 10-20%.
3. Transport security (MTA-STS, TLS, DANE, DNSSEC) — 10-15%.
4. Blacklist status — 10-20%.
5. Certificate and HTTPS posture — 5-10%.
6. Domain reputation signals — 10-15%.

A score of 100 requires every category to be clean. A score of 60 typically means two or three categories have significant issues.

Category 1: email authentication problems

The most common cause of a low score. Specific failure modes and how they affect the composite:

• Missing SPF: large penalty. Often -10 to -15 points.
• SPF PermError (too many lookups, multiple records, syntax error): similar penalty.
• SPF ending in +all: catastrophic. The record exists but authorizes every IP on the internet. Big penalty.
• Missing DKIM: depends on the tool. Some probe common selectors and penalize if none respond. -5 to -15.
• DKIM with weak keys (1024-bit or less): small penalty in 2026.
• Missing DMARC: medium-large penalty. -10 to -15.
• DMARC at p=none for over 90 days: some tools penalize this as a sign of an abandoned rollout.
• DMARC misaligned (SPF and DKIM do not align with From): the record exists but does not do useful work. Medium penalty.

Fix sequence: fix SPF first, then DKIM, then DMARC. Do not skip ahead.

Category 2: DNS hygiene problems

Less dramatic but add up:

• No secondary nameservers: single point of failure.
• Nameservers in one subnet/AS: reduces resilience.
• Missing AAAA records when IPv6 is increasingly expected.
• Wildcard CNAME at apex pointing to a hosting provider: causes MX and A to resolve via the wildcard in edge cases.
• MX record TTL too low or too high — around 3600 is a reasonable default.
• CAA records missing: allows any CA to issue certificates for the domain. -2 to -5.
• SOA parameters out of range: e.g., expire under 3600000 (7 days).
• Glue records missing or outdated.

Category 3: transport security problems

• No MTA-STS: medium penalty. -5 to -10.
• MTA-STS in mode: testing for over 30 days: small penalty.
• No TLS-RPT: small penalty.
• TLS 1.0 / 1.1 still supported on MX: penalty, and these are actively deprecated.
• DNSSEC missing where the TLD supports it: small to medium penalty. Some TLDs (.ai, some ccTLDs) do not support DNSSEC at the registry, and good scoring tools will exempt you from this penalty for those TLDs.
• DANE/TLSA records missing or broken: penalty only if DNSSEC is enabled.

Category 4: blacklist status

• Any major Spamhaus listing (ZEN, SBL, XBL): severe penalty. Often -20 to -40, and in some scoring systems it caps your maximum score at 50 until delisted.
• Barracuda, SpamCop: medium. -5 to -15.
• Minor / aggressive lists (UCE Protect L2/L3, some regional lists): small. -1 to -5.
• Domain on SURBL/URIBL: significant for email deliverability specifically.

Category 5: HTTPS/TLS on the website

Even for an email-focused domain, the website posture affects the score because it is also checked by aggregators:

• HTTP-only (no HTTPS): severe penalty.
• Expired certificate: severe.
• Self-signed certificate at a public domain: severe.
• TLS 1.0/1.1: medium.
• HSTS missing: small.
• HSTS without preload for a high-traffic domain: small.
• Mixed-content warnings: small.

Category 6: domain reputation

Harder to quantify but signals include:

• Domain age: very new domains carry some risk.
• Recent ownership change: hurts for a few weeks.
• WHOIS privacy: neutral for most, negative for banking/regulated sectors.
• Registrar reputation: certain cheap registrars correlate with abuse.
• Parked status with no active use.

Reading an IntoDNS.ai report

When IntoDNS.ai shows a low score, it itemizes issues in three tiers:

• Critical — fix first. Usually authentication failures or blacklist hits.
• Warning — medium impact. Missing MTA-STS, weak DKIM.
• Info — nice-to-have. Missing BIMI, TLS-RPT not configured.

Address critical issues first. After each fix, rescan to see the score lift. Most of the composite score comes from getting the first 2-3 critical issues resolved.

Common patterns

Score 55-65: usually missing DMARC or misaligned DMARC, plus one smaller issue (no MTA-STS, weak DKIM).

Score 70-80: core authentication works but some modernization is missing. Add MTA-STS, upgrade DKIM to 2048-bit, publish CAA.

Score 80-90: one edge case left. Often DNSSEC (if TLD supports it), BIMI, or a legacy sending service that is not fully aligned.

Score 90-100: few gaps. Usually BIMI eligibility, TLS-RPT, or DANE on an already DNSSEC-enabled domain.

Scoring differences between tools

Not every tool weights the same things the same way. Be cautious comparing scores across services:

• Some weight DNSSEC heavily; others ignore it for TLDs without support.
• Some penalize p=none DMARC; others consider it neutral.
• Some flag missing BIMI as a warning; others only as info.
• Some include website HTTPS; others are email-only.

A 75 on one tool and a 90 on another is not necessarily a bug — it reflects different weighting. Use the breakdown, not the headline number, to identify fixes.

What NOT to chase

• Email engagement score — not a DNS issue; it is recipient behavior.
• Google Postmaster reputation "red" — that is measured by Gmail directly, not by DNS. Fix it through list hygiene and content, not DNS records.
• Subjective "brand safety" signals — not something DNS scoring reflects.
• Obscure TXT record tokens from defunct services. Remove them, but they rarely affect score.

How to lift the score methodically

1. Scan with IntoDNS.ai and list every Critical issue.
2. Fix the top Critical first — usually SPF or DMARC.
3. Rescan. Confirm the fix and the score change.
4. Move to the next Critical. Repeat.
5. Once all Critical issues are clear, address Warnings in order of impact (blacklist > MTA-STS > weak DKIM).
6. Finally, chase Info items if you want a perfect score: BIMI, DNSSEC (if TLD supports), TLS-RPT.

Do not batch multiple changes without rescanning between them — if one change breaks something, you will not know which.

A realistic timeline

• Authentication fixes: 1-2 days (DNS propagation is the slowest step).
• MTA-STS rollout: 1-2 weeks (mode: testing first).
• DMARC progression from p=none to p=reject: 6-12 weeks.
• Blacklist delisting: 24 hours to 4 weeks depending on the list.
• DNSSEC enablement: 1-2 days (registrar plus TLD propagation).
• BIMI VMC: 4-8 weeks if you need a new certificate.

Do not expect a score of 50 to become 100 in one afternoon. Steady incremental improvements are the norm.

When to use IntoDNS.ai

IntoDNS.ai is the scoring tool this page discusses. Run a scan and you get the composite score, every category's subscore, and a prioritized list of fixes. The recommendations are concrete — exact DNS records to add or change — not generic advice. If you manage multiple domains, rescan periodically to catch regressions like a new sending service that was not domain-aligned.