Inbound Mail Tester
Test how your outbound emails will be scored by receiving mail servers. Send a test email and get detailed analysis of authentication, reputation, and spam scoring.
Overview
The Inbound Mail Tester helps you verify that emails sent from your mail infrastructure will reach recipients' inboxes. It analyzes your email for:
- Authentication: SPF, DKIM signature validity, DMARC alignment
- Reputation: Reverse DNS (PTR), MX records, blocklist status
- Spam Score: rspamd-style scoring to predict inbox placement
How It Works
- Generate a test address: Create a one-time email address (valid for 48 hours)
- Send a test email: Send from your actual mail server to the test address
- View results: See detailed analysis and spam score breakdown
TIP
For accurate results, send from the same server and domain that sends your production emails. Sending from a webmail client won't test your actual infrastructure.
Using the Tester
Step 1: Generate Test Address
- Navigate to Tools → Inbound Mail Tester in the dashboard
- Click Generate Test Address
- Copy the generated address (e.g.,
a1b2c3d4@tester.mailshield.app)
Step 2: Send Test Email
Send an email from your mail server to the test address:
# Using sendmail
echo "Subject: Test Email\n\nThis is a test." | sendmail a1b2c3d4@tester.mailshield.app
# Using mail command
echo "This is a test" | mail -s "Test Email" a1b2c3d4@tester.mailshield.appOr send through your application's normal email sending flow.
Step 3: View Results
The page automatically updates when your email is received. You'll see:
- Overall spam score with verdict
- Detailed breakdown by category
- Specific issues and recommendations
What We Analyze
SPF Validation
Verifies that your sending IP is authorized by the sender's SPF record.
| Result | Meaning |
|---|---|
pass | IP is authorized to send |
softfail | IP is probably not authorized |
fail | IP is explicitly not authorized |
neutral | No explicit authorization |
none | No SPF record found |
DKIM Verification
Validates the cryptographic signature on your email.
Checks performed:
- Signature presence
- Header hash validation
- Body hash validation
- Public key retrieval from DNS
- Algorithm support (RSA-SHA256, Ed25519-SHA256)
DMARC Alignment
Checks whether SPF and DKIM domains align with the From header.
| Component | Alignment Check |
|---|---|
| SPF | MAIL FROM domain matches From header |
| DKIM | Signing domain (d=) matches From header |
| Mode | Relaxed (org domain) or strict (exact match) |
Reverse DNS (PTR)
Validates that your sending IP has a proper PTR record.
Why it matters:
- Many mail servers reject email from IPs without PTR records
- PTR should resolve back to the sending hostname
- Forward-confirmed reverse DNS (FCrDNS) is the gold standard
MX Records
Checks that the sender domain has valid MX records.
Why it matters:
- Domains without MX records often indicate spam sources
- Helps validate the sender domain is configured for email
Blocklist Checks
Queries DNS blocklists to see if your IP is listed.
| Blocklist | Description |
|---|---|
| Spamhaus ZEN | Combined blocklist (SBL + XBL + PBL) |
| SORBS | Spam and Open Relay Blocking System |
| Barracuda | Barracuda Reputation Block List |
| SpamCop | User-reported spam sources |
Spam Scoring
We use rspamd-style scoring rules to calculate a spam score. Lower scores indicate better deliverability.
Score Ranges
| Score | Verdict | Meaning |
|---|---|---|
| 0–3 | Ham | Likely delivered to inbox |
| 3–6 | Probable Spam | May be filtered or marked |
| 6–10 | Spam | Likely goes to spam folder |
| 10+ | High Spam | Almost certainly blocked |
Scoring Rules
Authentication (SPF)
| Rule | Score | Description |
|---|---|---|
| SPF_PASS | -0.2 | SPF check passed |
| SPF_SOFTFAIL | +1.0 | SPF soft fail (~all) |
| SPF_FAIL | +6.0 | SPF hard fail (-all) |
| SPF_PERMERROR | +1.5 | SPF permanent error |
| SPF_TEMPERROR | +1.0 | SPF temporary error |
Authentication (DKIM)
| Rule | Score | Description |
|---|---|---|
| DKIM_VALID | -0.5 | Valid DKIM signature (per signature) |
| DKIM_INVALID | +6.0 | Invalid DKIM signature |
Authentication (DMARC)
| Rule | Score | Description |
|---|---|---|
| DMARC_PASS | -0.5 | DMARC check passed |
| DMARC_FAIL_REJECT | +2.0 | DMARC failed (reject policy) |
| DMARC_FAIL_QUARANTINE | +1.0 | DMARC failed (quarantine policy) |
| DMARC_FAIL_NONE | +0.5 | DMARC failed (none policy) |
Reputation (PTR/MX)
| Rule | Score | Description |
|---|---|---|
| PTR_MISSING | +2.0 | No reverse DNS (PTR) record |
| PTR_MISMATCH | +1.5 | PTR doesn't match sender hostname |
| PTR_VALID | -0.1 | Valid PTR record |
| MX_NONE | +2.0 | Sender domain has no MX records |
| MX_INVALID | +1.0 | Invalid MX configuration |
Blocklists
| Rule | Score | Description |
|---|---|---|
| BLOCKLIST_SPAMHAUS | +8.0 | Listed on Spamhaus ZEN |
| BLOCKLIST_SORBS | +5.0 | Listed on SORBS |
| BLOCKLIST_BARRACUDA | +5.0 | Listed on Barracuda |
| BLOCKLIST_SPAMCOP | +4.0 | Listed on SpamCop |
Header Analysis
| Rule | Score | Description |
|---|---|---|
| MISSING_MID | +1.0 | Missing Message-ID header |
| MISSING_DATE | +0.5 | Missing Date header |
| DATE_IN_FUTURE | +2.0 | Date header is in the future |
Common Issues and Fixes
SPF Failures
Problem: Your sending IP is not in your SPF record.
Fix: Add your sending IP or mail server to your SPF record:
v=spf1 ip4:192.0.2.1 include:_spf.google.com -allDKIM Signature Invalid
Problem: The DKIM signature doesn't verify.
Possible causes:
- Message was modified in transit
- Public key not published in DNS
- Key mismatch between signing and published key
- Selector not found
Fix: Ensure your mail server signs outgoing mail and the public key is published at selector._domainkey.yourdomain.com.
Missing PTR Record
Problem: Your sending IP has no reverse DNS.
Fix: Contact your hosting provider or ISP to set up a PTR record for your IP. The PTR should point to your mail server's hostname.
Blocklisted IP
Problem: Your IP appears on a spam blocklist.
Fix:
- Check the specific blocklist's website for removal instructions
- Ensure your server isn't compromised or sending spam
- If using a shared IP, consider a dedicated IP address
- Request delisting after resolving the underlying issue
DMARC Alignment Failure
Problem: SPF or DKIM domain doesn't match the From header.
Fix:
- Ensure DKIM signing domain matches your From domain
- Ensure MAIL FROM (envelope sender) matches your From domain
- Use relaxed alignment if organizational domain matching is acceptable
Best Practices
Before Sending Production Email
- Test from production infrastructure: Use your actual mail servers
- Send typical messages: Test with real content, not just "test"
- Test all sending paths: Application email, transactional, marketing
- Check regularly: IP reputation can change over time
Achieving Low Spam Scores
| Component | Best Practice |
|---|---|
| SPF | Use -all (hard fail), keep under 10 lookups |
| DKIM | Sign all outgoing mail, use 2048-bit keys |
| DMARC | Use p=reject when ready |
| PTR | Set up FCrDNS for sending IPs |
| Blocklists | Monitor and delist promptly |
| Headers | Include proper Date, Message-ID, From headers |
Session Expiry
Test sessions expire after 48 hours. After expiry:
- The test address stops accepting email
- Results are deleted
- Generate a new address for additional tests
API Access
The Inbound Mail Tester is available via API:
Create Test Session
POST /api/inbound-tester/sessionsResponse:
{
"testId": "a1b2c3d4",
"email": "a1b2c3d4@tester.mailshield.app",
"expiresAt": "2024-01-18T12:00:00Z",
"status": "pending"
}Get Results
GET /api/inbound-tester/sessions/{testId}Response (completed):
{
"status": "completed",
"spamScore": 1.3,
"verdict": "ham",
"results": {
"spf": { "result": "pass", "domain": "example.com" },
"dkim": { "valid": true, "signatures": [...] },
"dmarc": { "result": "pass", "policy": "reject" },
"ptr": { "valid": true, "record": "mail.example.com" },
"blocklists": { "listed": 0, "results": [...] }
},
"scoreBreakdown": [
{ "rule": "SPF_PASS", "score": -0.2 },
{ "rule": "DKIM_VALID", "score": -0.5 },
{ "rule": "DMARC_PASS", "score": -0.5 }
]
}