Domain Health Check: What It Tests and Why
Understand what the mxio Domain Health Check measures across SPF, DKIM, DMARC, MX, and DNS delegation — and how to interpret your health score.
What the Domain Health Check Does
The mxio Domain Health Check runs five independent checks against your domain in a single pass: SPF, DKIM, DMARC, MX records, and DNS delegation. Each check produces its own pass/warn/fail result. The combined result gives you a snapshot of your domain's email authentication posture — where it is strong, where it is vulnerable, and what to fix first.
This is the tool to start with when you are evaluating a domain for the first time, onboarding a new client, or auditing your own infrastructure after changes. Instead of running five separate tools, the health check gives you the full picture in one query.
The Five Sub-Checks
SPF
The health check parses your SPF record (RFC 7208) and evaluates syntax validity, mechanism coverage, and DNS lookup count. It flags records that exceed the 10-lookup limit, use permissive +all qualifiers, or have no SPF record at all. This is the same analysis you get from the standalone SPF Checker, included automatically.
DKIM
DKIM (RFC 6376) verification requires a selector, which varies by sending service. The health check tests common selectors used by major providers (Google Workspace, Microsoft 365, and others) to detect published DKIM keys. It reports key strength, record validity, and whether selectors are missing for expected providers. For deeper per-selector analysis, use the DKIM Checker directly.
DMARC
The health check queries _dmarc.yourdomain.com and evaluates the published DMARC (RFC 7489) policy. It flags domains with no DMARC record, domains stuck at p=none without progression toward enforcement, and records with syntax issues or missing rua= reporting addresses. The DMARC Checker provides the same analysis with additional detail on alignment modes and policy tags.
MX Records
The health check verifies that your domain publishes MX records (RFC 5321), that the mail servers resolve to valid IP addresses, and that priority values are configured correctly. Missing MX records mean your domain cannot receive email — a problem that also affects bounce handling and DMARC report delivery. See Missing MX Records for the full impact.
DNS Delegation
The final sub-check verifies your nameserver delegation chain: whether the parent zone (the TLD registry) and your authoritative nameservers agree on who is responsible for your zone. Inconsistent delegation causes DNS resolution failures that affect every record type, not just email. The Delegation Health tool provides the full delegation analysis.
How Scoring Works
Each sub-check returns one of three states: pass, warning, or fail. The overall health score is a composite — it reflects the worst-performing sub-check, not an average. A domain that passes SPF, DKIM, DMARC, and MX but has broken delegation still shows a failing health score. This is intentional. A single broken link in the chain can undermine everything else.
Warnings indicate configuration that works but is not optimal — for example, a DMARC policy of p=none (monitoring only, no enforcement) or an SPF record at 8 of 10 lookups (functional but close to the limit).
When to Use the Combined Check vs. Individual Tools
Use the Domain Health Check when you need the overall picture: initial domain audits, periodic reviews, or quick checks after DNS changes. Use the individual tools — SPF Checker, DKIM Checker, DMARC Checker — when you are troubleshooting a specific protocol or need deeper analysis of a single record.
Continuous Health Monitoring
A single health check tells you where things stand right now. But email authentication degrades silently — provider IP ranges change, DKIM keys get deleted during DNS migrations, and well-meaning edits introduce SPF syntax errors. mxio's domain health monitoring runs these checks on a schedule and alerts you the moment something changes, so you find out before your recipients do.
If any health check result is unclear, mxio's AI-powered explanations translate the technical findings into plain-English guidance — what is wrong, why it matters, and exactly what to fix.
Related Articles
Understand how SPF, DKIM, and DMARC work together to protect your domain from spoofing and improve email deliverability. A practical guide for email administrators.
Your domain has no DMARC record. Learn why DMARC matters, how to create your first record, and the recommended rollout path from monitoring to enforcement.
Your SPF record exceeds the 10-lookup limit, causing email authentication failures. Learn why this happens and how to fix it with step-by-step instructions.
Your domain has no MX records, which means it can't receive email. Learn why MX records are essential and how to set them up correctly.