How is a company's email security score calculated?

The score is based on the analysis of the company's primary domain for SPF, DKIM, DMARC, BIMI, MTA-STS, DANE/TLSA and DNSSEC. Points are awarded for each standard based on its configuration quality and strictness, totaling up to 100.

What do the letter grades mean?

A+ (90-100) means excellent coverage. A (80-89) is very good. B (70-79) is good. C (60-69) is average. D (50-59) is below average. F (below 50) indicates significant gaps in email security.

Why might a well-known company score poorly?

Email security configuration is often managed independently from other cybersecurity controls. A company may have strong network security but still lack proper DMARC enforcement or MTA-STS deployment.

How often are company scores updated?

All domains are rescanned weekly. Changes in DNS records are reflected in the next weekly scan.

CaptainDNS

DNS Lookup

Choose a DNS record type to search for.

Propagation & diagnostics

Compare resolvers worldwide and inspect returned answers.

Propagation testPublic resolvers, remaining TTLs, divergent responses.
Domain DNS auditParent/local NS, authority and response times.
DNSSEC CheckerValidate chain of trust, DS records and signing keys.
API & integrations
Keep history, monitor your zones and automate recurring checks.

Email authentication

Tools to verify and validate your email authentication setup.

Syntax validation

Record inspectors

Generators

Deliverability

Email deliverability audit

Audit MX, SPF, DKIM and DMARC to confirm a domain is ready to send.

Mail header analyzer

Decode participants, authentication results and routing from raw headers.

Email tester

Send a test email and get instant authentication and deliverability feedback.

IP Blacklist Checker

Check if your IP is on email blacklists

Domain Blacklist Checker

Check if your domain is on URI blacklists

SPF Flattener

Flatten SPF records to reduce DNS lookups below the 10-lookup limit.

DKIM Selector Finder

Auto-discover all DKIM selectors for a domain via DNS brute-force.

SMTP/MX Tester

Test SMTP connectivity of your MX servers: banner, STARTTLS, TLS certificate, open relay.

IP tools

Quickly inspect an IP address or your own connection.

Text

Transform and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Password generator

Generate strong random passwords and memorable passphrases instantly.

Developer

Encoding, hashing, regex and formatting for everyday dev work.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Hash Generator

Compute MD5, SHA-1, SHA-256 and SHA-512 hashes of any text.

URL encoder / decoder

Encode or decode text using percent-encoding (RFC 3986) right in your browser.

Regex Tester

Test a regular expression against text and visualize matches.

JSON / YAML Formatter

Format, validate and convert JSON and YAML in one click.

Web & Certificates

BIMI logos, VMC/CSR certificates and web page diagnostics.

BIMI logo lookup

Inspect a BIMI logo URL - format, metadata and live rendering - before rollout.

BIMI SVG converter

Convert any SVG to BIMI-compliant Tiny-PS format in seconds.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate - issuer, validity and SAN coverage - before you publish BIMI.

Page size checker

Check if your page exceeds Google's 2 MB crawl limit.

Phishing URL Checker

Check if a URL is flagged as phishing or malware by 4 threat intelligence sources.

58/ 100

Siemens

siemens.com · 🇩🇪 DE · industrials

🇩🇪 DAX 40

Scan week: 2026-03-02

Outbound

50%

64/ 100

dmarc

34/40A

spf

3/30F

dkim

22/25A

bimi

5/5A

Inbound

35%

33/ 100

25/40C

mta-sts

0/30F

dane

8/15C

tls-rpt

0/15F

DNS Security

15%

A+

100/ 100

dnssec

100/100A

Rankings

global

#118 / 1090

country DE

#14 / 38

index dax-40

#14 / 40

sector industrials

#14 / 355

Recommendations

Mediummta-sts

Deploy MTA-STS to enforce TLS for inbound email

Lowmx

Add a secondary MX for redundancy

Lowtls-rpt

Add a TLS-RPT record to receive TLS failure reports

Understanding the company audit

Each company in the Observatory is analyzed weekly for email authentication standards. The audit provides a comprehensive view of the company's email security posture.

What this page shows:

Total score - A score out of 100 reflecting overall email security maturity
Letter grade - From A+ (excellent) to F (significant gaps)
Per-standard analysis - Individual scores for SPF, DKIM, DMARC, BIMI, MTA-STS, DANE/TLSA and DNSSEC
Recommendations - Prioritized steps to improve the score

Standards evaluated

SPF - Sender Policy Framework prevents unauthorized servers from sending email on behalf of the domain
DKIM - DomainKeys Identified Mail ensures emails are signed and unaltered during transit
DMARC - Domain-based Message Authentication, Reporting and Conformance ties SPF and DKIM together with a policy
BIMI - Brand Indicators for Message Identification displays the brand logo in supporting email clients
MTA-STS - Mail Transfer Agent Strict Transport Security enforces TLS encryption for inbound email
DNSSEC - Domain Name System Security Extensions prevent DNS spoofing attacks

FAQ - Frequently asked questions

Q: How is the score calculated?

A: Points are awarded for each standard based on configuration quality, totaling up to 100.

Q: What do the grades mean?

A: A+ is excellent (90-100), F indicates significant gaps (below 50).

Page	Purpose
Observatory Dashboard	Overall overview with key metrics
Statistics	Cross-index and cross-sector comparison
Email Domain Check	Audit your own domain