What does MailMoxie check for in domain authentication?
Domain authentication helps receiving mail systems verify that an email is authorized to be sent on behalf of a domain and that it has not been altered in transit.
In MailMoxie, domain authentication is evaluated as part of the Domain Configuration section of the Email Test. This section surfaces discrete checks related to SPF, DKIM, DMARC, and related domain-level signals, each with its own status, severity, and explanation.
This article explains what MailMoxie checks for in domain authentication and how those checks appear in the Email Test.
Domain authentication in the Email Test
The Domain Configuration section summarizes the overall state of domain authentication for the email being tested. At the top level, MailMoxie provides:
-
A count of checks performed
-
A summary of passed checks and issues found
-
A plain-language overview describing where attention is needed
Each individual check is surfaced separately, with:
-
A pass, fail, or minor issue status
-
A severity level
-
The data source used (Email Headers)
-
A subcategory describing the type of issue
-
A clear explanation of what was detected
-
A recommendation tied to the specific finding
SPF (Sender Policy Framework) checks
MailMoxie evaluates SPF as a discrete check within Domain Configuration.
Specifically, the Email Test checks whether:
-
An SPF record is present on the domain
-
The SPF record matches the email’s From domain
-
The sending source is authorized by the SPF record
-
The SPF evaluation result matches expectations for the sending context
When SPF fails, MailMoxie surfaces:
-
The SPF evaluation result returned by the receiving system (for example,
neutralinstead ofpass) -
Context explaining why that result is unexpected
-
Indicators that the email may be sent through a third-party service not authorized in SPF
SPF findings are labeled with a severity level and categorized under SPF Misconfiguration when issues are detected.
DKIM (DomainKeys Identified Mail) checks
MailMoxie evaluates DKIM separately from SPF and DMARC.
The Email Test checks whether:
-
A DKIM record is present for the domain
-
DKIM verification succeeds
-
The DKIM signature aligns with the configured sending domain
MailMoxie also detects cases where:
-
DKIM verification technically passes
-
But a sending domain is not configured in the account
-
Preventing DKIM from being validated against the expected domain
These findings are surfaced with clear messaging indicating that DKIM exists but cannot be fully validated due to missing sending domain configuration.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks
DMARC is evaluated as its own set of checks within Domain Configuration.
MailMoxie checks whether:
-
A DMARC record is present on the domain
-
The record passes verification and alignment
-
An enforcement policy is configured
-
Reporting is enabled
-
The DMARC record matches the configured sending domain
MailMoxie distinguishes between multiple DMARC-related issues, including:
-
Policies set to monitoring-only (
p=none) -
Missing enforcement policies
-
Inability to validate DMARC due to missing sending domain configuration
Each DMARC issue is surfaced independently, with severity and subcategory labels such as DMARC Policy Too Permissive or Sending Domain Not Configured.
BIMI (Brand Indicators for Message Identification)
MailMoxie includes BIMI as part of Domain Configuration when relevant.
The Email Test checks whether:
-
A BIMI DNS record exists
-
DMARC enforcement requirements are met
-
A logo and Verified Mark Certificate (VMC) are present where applicable
If BIMI is not configured or prerequisites are missing, MailMoxie surfaces this as a Minor Issue, with context explaining which requirements are not currently met.
Reverse DNS checks
MailMoxie also evaluates reverse DNS alignment as part of domain configuration.
The Email Test checks whether:
-
A reverse DNS entry exists for the sending infrastructure
-
The reverse DNS entry matches the expected sending domain
-
A configured sending domain exists to validate against
If a sending domain is not configured, MailMoxie notes that reverse DNS validation cannot be completed and surfaces this as a minor issue.
How domain authentication issues are presented
Each domain authentication check includes:
-
A status (Failed, Minor Issue, or Passed)
-
A severity level
-
The source of the data (Email Headers)
-
A clear issue description
-
A recommendation tied directly to the detected condition
This structure allows teams to understand exactly which authentication signals are failing and why, without needing to interpret raw headers manually.
How teams typically use these results
Teams use domain authentication results in MailMoxie to:
-
Review authentication status before important sends
-
Identify misalignment between domains, ESPs, and sending infrastructure
-
Share specific findings with IT or platform teams
-
Track improvements after configuration changes
Because these checks are evaluated per test, teams often rerun Email Tests as configurations evolve.
Subscription usage and ongoing checks
Running a single Email Test provides a snapshot of current domain authentication status. Subscriptions allow teams to run Email Tests repeatedly as part of an ongoing QA workflow.
Teams using MailMoxie subscriptions typically rely on domain authentication checks to:
-
Validate changes before campaigns
-
Monitor configuration drift over time
-
Reduce risk when adding new sending tools or domains
Run an Email Test
You can run a free Email Test in MailMoxie to review domain authentication checks and see how SPF, DKIM, DMARC, and related signals are evaluated for your emails.
If you run tests regularly or manage multiple sending domains, a subscription provides continued access to these checks as part of a repeatable workflow.