Security Score
MailShield calculates a comprehensive security score for each domain, helping you understand and improve your email security posture.
Score Overview
Your security score is a number from 0-100, translated to a letter grade:
| Grade | Score Range | Status |
|---|---|---|
| A | 90-100 | Excellent - Your email security is comprehensive |
| B | 80-89 | Good - Minor improvements possible |
| C | 70-79 | Fair - Several areas need attention |
| D | 60-69 | Poor - Significant gaps in security |
| F | 0-59 | Critical - Immediate action required |
How the Score is Calculated
The score is weighted across different security categories:
Core Authentication (50 points)
| Category | Points | Description |
|---|---|---|
| DMARC | 25 | Most important - enables reporting and enforcement |
| SPF | 15 | Specifies authorized senders |
| DKIM | 10 | Cryptographic email signatures |
Transport Security (20 points)
| Category | Points | Description |
|---|---|---|
| MTA-STS | 10 | Enforces TLS for email transport |
| TLS-RPT | 10 | Reports on TLS failures |
Infrastructure (25 points)
| Category | Points | Description |
|---|---|---|
| MX Records | 10 | Valid mail servers with TLS |
| DNSSEC | 10 | DNS response authentication |
| BIMI | 5 | Brand indicators |
Bonus Points
| Category | Points | Description |
|---|---|---|
| DANE | +5 | Certificate pinning via DNS |
Scoring Criteria
DMARC (25 points)
| Criteria | Points |
|---|---|
| Valid DMARC record exists | 5 |
Policy is none | +2 |
Policy is quarantine | +7 |
Policy is reject | +10 |
| Reporting configured (rua) | +5 |
| MailShield reporting or forensic reporting (ruf) | +5 |
TIP
You can earn up to 5 bonus points by sending DMARC reports to MailShield or by configuring forensic (ruf) reporting.
SPF (15 points)
| Criteria | Points |
|---|---|
| Valid SPF record exists | 10 |
Uses -all (hard fail) | +5 |
Uses ~all (soft fail) | +3 |
DKIM (10 points)
| Criteria | Points |
|---|---|
| Valid selectors with strong keys (≥ 2048 bits) | 10 |
| Valid selectors with weak keys (1024-bit) | 7 |
MTA-STS (10 points)
| Criteria | Points |
|---|---|
| Valid policy exists | 5 |
Mode is testing | +2 |
Mode is enforce | +5 |
TLS-RPT (10 points)
| Criteria | Points |
|---|---|
| Valid TLS-RPT record | 5 |
| MailShield reporting configured | +5 |
| Other reporting address configured | +3 |
TIP
Sending TLS reports to MailShield earns full points. Any other reporting address earns 3 points.
MX Records (10 points)
| Criteria | Points |
|---|---|
| Valid MX records exist | 5 |
| All servers support TLS | +5 |
DNSSEC (10 points)
| Criteria | Points |
|---|---|
| DNSSEC enabled and valid | 10 |
BIMI (5 points)
| Criteria | Points |
|---|---|
| Valid BIMI record with accessible logo | 5 |
Improving Your Score
Quick Wins
- Add DMARC if missing - even
p=noneadds points - Configure reporting (rua) to receive DMARC reports
- Enable TLS-RPT - simple DNS record addition
Medium Effort
- Strengthen DMARC policy from
none→quarantine→reject - Add MTA-STS policy to enforce TLS
- Upgrade DKIM keys to 2048 bits or higher
Advanced
- Enable DNSSEC at your registrar
- Configure DANE for certificate pinning
- Add BIMI for brand recognition
Score Alerts
MailShield can notify you when:
- Score drops by more than 10 points
- Rating changes (e.g., from B to C)
- Score falls below threshold (configurable)
Configure alerts in Settings → Notifications.
Score History
Track your security score over time:
- View historical scores on the domain dashboard
- See when changes occurred
- Correlate with DNS modifications
Best Practices for an A Rating
To achieve and maintain an A rating:
- ✅ DMARC with
p=rejectpolicy - ✅ SPF with
-all(hard fail) - ✅ DKIM with 2048-bit keys
- ✅ MTA-STS in
enforcemode - ✅ TLS-RPT configured
- ✅ DNSSEC enabled
- ✅ All MX servers supporting TLS