Improving Your Score
This guide provides actionable strategies to improve your MailShield security score based on your current grade.
Quick Wins by Current Score Range
Grade F (0-59): Critical Issues
Your domain has significant security gaps that leave you vulnerable to spoofing.
Priority actions:
| Action | Impact | Effort |
|---|---|---|
| Add basic SPF record | +15-20 points | Low |
| Add DMARC record (p=none) | +10-15 points | Low |
| Publish MX records | +5-10 points | Low |
Immediate steps:
- Add SPF record if missing:
v=spf1 include:_spf.youremailprovider.com ~all- Add DMARC record for monitoring:
v=DMARC1; p=none; rua=mailto:your-id@reports.mailshield.app- Verify MX records point to your email provider
Grade D (60-69): Poor Configuration
Basic records exist but are incomplete or misconfigured.
Priority actions:
| Action | Impact | Effort |
|---|---|---|
| Fix SPF errors/warnings | +5-10 points | Low |
| Add DKIM signing | +10-15 points | Medium |
| Move DMARC to p=quarantine | +5-10 points | Low |
Focus areas:
Review SPF record for:
- Missing includes for third-party senders
- Too many DNS lookups (limit is 10)
- Using deprecated mechanisms
Configure DKIM for your primary email provider
Progress DMARC policy from
nonetoquarantine
Grade C (70-79): Fair, Room for Improvement
Core authentication is in place but not optimized.
Priority actions:
| Action | Impact | Effort |
|---|---|---|
| Achieve full DKIM coverage | +5-10 points | Medium |
| Move to DMARC p=reject | +5-10 points | Medium |
| Add MTA-STS | +5-10 points | Medium |
Focus areas:
- Audit third-party senders for DKIM compliance
- Test and progress to DMARC reject
- Implement MTA-STS for transport security
Grade B (80-89): Good, Minor Improvements
Strong foundation with opportunities for hardening.
Priority actions:
| Action | Impact | Effort |
|---|---|---|
| Add TLS-RPT reporting | +3-5 points | Low |
| Consider BIMI | +3-5 points | Medium |
| Strict alignment settings | +2-3 points | Low |
Focus areas:
- Enable TLS-RPT for transport security visibility
- Evaluate BIMI for brand indicators
- Review alignment settings (strict vs. relaxed)
Grade A (90-100): Excellent
Congratulations! Focus on maintaining and monitoring.
Maintenance actions:
- Monitor for new third-party senders
- Review DMARC reports regularly
- Keep certificates current
- Watch for DNS changes
Prioritization Framework
Impact vs. Effort Matrix
High Impact │ SPF (if missing) │ DMARC reject
│ DMARC (if missing) │ Full DKIM coverage
│ Basic DKIM │
├─────────────────────┼─────────────────────
Low Impact │ TLS-RPT │ DNSSEC
│ Strict alignment │ DANE
│ │ BIMI
└─────────────────────┴─────────────────────
Low Effort High EffortRecommended Order
- First: SPF and DMARC (monitoring mode)
- Second: DKIM for primary email
- Third: Third-party sender DKIM
- Fourth: DMARC enforcement progression
- Fifth: MTA-STS and TLS-RPT
- Sixth: Advanced features (BIMI, DANE, DNSSEC)
Impact of Each Security Feature on Score
Core Authentication (High Impact)
| Feature | Score Impact | When Missing |
|---|---|---|
| Valid SPF | 15-25 points | Major penalty |
| Valid DKIM | 10-20 points | Significant penalty |
| DMARC record | 10-15 points | Major penalty |
| DMARC p=quarantine | +5 points | Minor penalty |
| DMARC p=reject | +10 points | Minor penalty |
Transport Security (Medium Impact)
| Feature | Score Impact | When Missing |
|---|---|---|
| MTA-STS policy | 5-10 points | Minor penalty |
| TLS-RPT | 3-5 points | No penalty |
| DANE/TLSA | 3-5 points | No penalty |
Advanced Features (Lower Impact)
| Feature | Score Impact | When Missing |
|---|---|---|
| BIMI record | 3-5 points | No penalty |
| DNSSEC | 3-5 points | No penalty |
| Strict DKIM alignment | 1-3 points | No penalty |
| Strict SPF alignment | 1-3 points | No penalty |
Negative Factors (Reduce Score)
| Issue | Score Penalty |
|---|---|
| SPF syntax errors | -5 to -15 points |
| Too many SPF lookups | -5 to -10 points |
| DKIM misconfiguration | -5 to -15 points |
| Expired certificates | -5 to -10 points |
| DMARC policy not enforcing | -5 to -10 points |
Common Paths to A-Grade
Path 1: New Domain (Starting from F)
| Week | Actions | Expected Grade |
|---|---|---|
| 1 | Add SPF, DMARC (p=none) | D |
| 2-3 | Configure DKIM, verify setup | C |
| 4-6 | Move to p=quarantine | C+ |
| 7-10 | Progress to p=reject | B |
| 11-12 | Add MTA-STS, TLS-RPT | A |
Path 2: Existing Domain (Starting from C)
| Week | Actions | Expected Grade |
|---|---|---|
| 1 | Audit and fix SPF issues | C+ |
| 2-3 | Complete DKIM for all senders | B |
| 4-6 | Progress to p=reject | B+ |
| 7-8 | Add MTA-STS | A- |
| 9-10 | Add TLS-RPT, fine-tune | A |
Path 3: B-Grade to A-Grade
| Week | Actions | Expected Grade |
|---|---|---|
| 1 | Add TLS-RPT | B+ |
| 2 | Implement MTA-STS | A- |
| 3-4 | Review and enable strict alignment | A |
Effort vs. Impact Analysis
High Impact, Low Effort
✅ Do these first:
Publish DMARC record (if missing)
- Time: 10 minutes
- Impact: +10-15 points
- Risk: None (with p=none)
Fix SPF syntax errors
- Time: 15-30 minutes
- Impact: +5-15 points
- Risk: Low
Enable DKIM in email provider
- Time: 15-30 minutes
- Impact: +10-20 points
- Risk: Low
Medium Impact, Medium Effort
⏳ Plan for these:
Configure third-party sender DKIM
- Time: 1-2 hours per service
- Impact: +5-10 points total
- Risk: Low
Progress DMARC to reject
- Time: 2-4 weeks (progressive)
- Impact: +5-10 points
- Risk: Medium (if not tested)
Implement MTA-STS
- Time: 1-2 hours
- Impact: +5-10 points
- Risk: Low-Medium
Low Impact, High Effort
⏸️ Consider later:
DANE implementation
- Time: Multiple hours + DNSSEC required
- Impact: +3-5 points
- Risk: Medium
DNSSEC deployment
- Time: Hours to days (registrar dependent)
- Impact: +3-5 points
- Risk: Medium
BIMI implementation
- Time: Hours + VMC certificate costs
- Impact: +3-5 points
- Risk: Low
Score Improvement Checklist
Baseline (Get to Grade C)
- [ ] SPF record published and valid
- [ ] DMARC record published with rua
- [ ] MX records configured correctly
- [ ] At least one DKIM signature validating
Good Standing (Get to Grade B)
- [ ] All email sources in SPF
- [ ] DKIM configured for all major senders
- [ ] DMARC at p=quarantine or better
- [ ] No SPF lookup limit issues
Excellence (Get to Grade A)
- [ ] DMARC at p=reject
- [ ] MTA-STS published
- [ ] TLS-RPT configured
- [ ] All authentication at 99%+ pass rate
- [ ] Regular monitoring active
Maintaining Your Score
Weekly Tasks
- [ ] Review MailShield alerts
- [ ] Check for new sending sources in DMARC reports
- [ ] Verify no DNS changes broke authentication
Monthly Tasks
- [ ] Review security score trends
- [ ] Audit third-party sender list
- [ ] Check for expiring certificates
- [ ] Review TLS-RPT for transport issues
Quarterly Tasks
- [ ] Full DNS security audit
- [ ] Review and update email source inventory
- [ ] Test disaster recovery for email
- [ ] Update documentation
Next Steps
- DMARC Enforcement Roadmap - Progress to reject
- Third-Party Senders - Configure all sources
- Email Source Discovery - Find missing senders