wiredepth
Run a check

Free tool · Posture summary

Email-auth scorecard

One page. DMARC, SPF, DKIM, MTA-STS, vendor exposure, spoofability verdict, top issues. Designed to travel in Slack, Teams, and email - the kind of artifact you hand to your IT team or board. No signup.

What this tool checks

We resolve four signals from public DNS: DMARC policy and alignment, SPF qualifier strictness, DKIM key presence, and MTA-STS enforcement. We add a vendor exposure summary - how many third parties can send mail as your domain, who the top ones are, and whether any consolidation flags fire. That all collapses into a composite grade (A+ to F) and a spoofability verdict.

Output is a 1-page PDF. Sized for Letter or A4 paper. Watermarked with the public scorecard URL the recipient can revisit to verify or re-run. Sized small enough to attach to an email (typically 25-40 KB).

We don't store the scorecard. Re-running the same domain six months later will reflect whatever DNS looks like at that moment, not the cached PDF. The "as of" date on the artifact makes staleness obvious to any reader.

How to read the results

The grade: composite of two inputs:

  • Spoofability verdict: yes / maybe / no. Derived from DMARC + SPF + DKIM + MTA-STS strictness. A "no" verdict means a sender impersonating your domain to a strict-DMARC receiver (Gmail, Yahoo, Microsoft 365) gets rejected.
  • Vendor sender count: how many third parties are SPF / DKIM-authorized to send as your domain. Each one is an independent compromise path. A clean DMARC posture with 8 vendors authorized is a worse risk profile than a clean DMARC posture with 2 vendors authorized - reflected in the grade.

The top issues section pulls the most actionable recommendations from the spoofability check plus any consolidation flags. Truncated to 5 items so the page stays scannable.

Frequently asked questions

Why a PDF and not a web page?

PDFs survive a round trip through IT procurement workflows that web links don't. Screenshots lose attribution; web pages get blocked by corporate proxies; a PDF in a Word doc is what actually gets read by a CIO. The Wiredepth watermark + URL stay attached the whole way through.

Is the grade comparable to other tools (MXToolbox, dmarcian, EasyDMARC)?

It's comparable in shape but not numerically equivalent. We weight vendor sprawl heavier than most competitors because (in our crawls) it's a bigger predictor of real-world compromise than policy strictness alone. A domain with p=reject and 10 authorized vendors gets a B/C from us where another tool might give an A; we think that's the correct call.

Can I rebrand the scorecard for my MSP?

Not yet on the free tier. MSP-tier Wiredepth subscribers can co-brand the compliance-report PDFs at /api/compliance-pdf - the scorecard will get the same treatment as part of the MSP feature pass.

Does the scorecard expose any internal data?

No. Everything on the scorecard is resolvable from public DNS - what a phishing attacker would see if they were targeting you. The "vendor exposure" section makes that surface visible to the legitimate side too.

How fresh is the data?

Live. Each request hits DNS, runs the spoofability check, runs the vendor consolidation analysis, then renders. End-to-end is usually 1-2 seconds. The "as of" timestamp on the PDF is the moment of generation.

Related free tools

Spoofability checker

Yes / maybe / no verdict in HTML, with signal-by-signal breakdown.

Vendor consolidation report

Per-vendor blast radius. Pairs with the scorecard.

DMARC + SPF analyzer

Drill into the auth signals the scorecard summarizes.

De-authorization guides

If the scorecard flags vendor sprawl, here is how to remove the surface.