What SealedMail checks

DMARC

What it isDMARC (Domain-based Message Authentication, Reporting and Conformance) ties your email security together. It tells receiving mail servers what to do with email that claims to come from your domain but fails authentication - deliver it, quarantine it, or reject it - and sends reports back so you can see what's happening.

Why it mattersWithout DMARC, anyone can send email that appears to come from your domain and you'll never know. The reports are the only window into who is using your email identity.

What SealedMail doesYour DMARC record's reporting address points to SealedMail. We receive the aggregate reports, interrogate them, and explain the findings every Monday - including who sent as your domain, from where, and whether it passed.

What commonly goes wrongBusinesses publish a DMARC record at p=none, feel protected, and never look at a report again. A policy of "none" provides monitoring data but no protection at all - and unmonitored, it provides nothing.

SPF

What it isSPF (Sender Policy Framework) is a list, published in your DNS, of the servers allowed to send email for your domain.

Why it mattersIt's the first thing receivers check. If your real email comes from a server that isn't on your list, it looks suspicious; if the list is broken, even legitimate email can fail.

What SealedMail doesEvery health check verifies your SPF record exists, is correctly formed, and stays within technical limits. The weekly DMARC data shows whether your real senders are actually passing SPF in practice.

What commonly goes wrongThe 10-DNS-lookup limit. Each third-party service you add (marketing platforms, CRMs, invoicing tools) consumes lookups, and once you exceed ten, SPF silently breaks for everything. It's one of the most common - and least noticed - email faults in small businesses.

DKIM

What it isDKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing email - tamper-proof evidence that the message genuinely came from your domain and wasn't altered in transit.

Why it mattersSPF checks where email came from; DKIM proves it wasn't forged or modified. Together they're the foundation DMARC builds on, and major receivers increasingly expect both.

What SealedMail doesHealth checks confirm DKIM records where discoverable, and the weekly DMARC data shows whether your mail is actually being signed and verified by receivers.

What commonly goes wrongKeys that were never set up for a particular sending service, or keys rotated by a provider without the DNS record being updated. The result is legitimate email that looks unsigned - and increasingly, undelivered.

TLS-RPT

What it isTLS-RPT (TLS Reporting) asks receiving mail servers to tell you when they couldn't deliver email to your domain over an encrypted connection.

Why it matters"We use encryption" is not the same as knowing it's working. Without TLS reporting, encryption failures - including deliberate interception attempts - are invisible.

What SealedMail doesYour TLS-RPT record points to SealedMail. Anomalies are flagged and explained in your weekly report; silence is good news, and you'll know it's genuine silence rather than a missing record.

What commonly goes wrongMost domains simply don't have a TLS-RPT record at all, so nobody is told when secure delivery fails.

MTA-STS

What it isMTA-STS (Mail Transfer Agent Strict Transport Security) forces email arriving at your domain to use encryption - or not be delivered. Think of it as HTTPS for the conversations between mail servers.

Why it mattersWithout it, an attacker positioned on the network can strip away encryption (a "downgrade attack") and read or tamper with email in transit. The NCSC recommends MTA-STS alongside TLS-RPT.

What SealedMail doesEvery health check verifies your MTA-STS policy exists, is reachable, and is correctly configured - including the policy file, which must stay accessible over HTTPS or delivery can break.

What commonly goes wrongEnforcing too quickly. MTA-STS should start in testing mode; jumping straight to enforcement can block legitimate inbound mail. The other classic fault is a policy file that becomes unreachable after a website change.

Blacklisting

What it isBlacklists (also called blocklists) are shared databases of domains and servers associated with spam or abuse. Receivers consult them when deciding whether to accept your email.

Why it mattersIf your domain or sending server is listed - often through no fault of your own - your email quietly stops arriving. Most businesses find out from a frustrated client, weeks later.

What SealedMail doesEvery health check, including the weekly one in your report, checks your status against major blacklists, so a listing is caught in days.

What commonly goes wrongShared hosting and shared sending services: someone else's bad behaviour on the same infrastructure gets your mail blocked.

BIMI

What it isBIMI (Brand Indicators for Message Identification) displays your verified logo beside your emails in supporting inboxes such as Gmail and Apple Mail.

Why it mattersBIMI is a visibility and trust feature, not a security control. It requires DMARC at enforcement first, a correctly formatted SVG logo, and - for Gmail and Apple Mail - a Verified or Common Mark Certificate (typically £700-£1,500/year).

What SealedMail doesChecks BIMI record presence and validity in every health check and weekly report. SealedMail does not sell or manage BIMI certificates.

What commonly goes wrongFor most customers, BIMI is poor value until core DMARC and TLS controls are fully in place - and often after that too. It's always checked, never oversold.