MX
MX records define which mail servers receive email for the domain. Without working MX records, inbound email usually cannot be delivered correctly.
Email · DNS · Deliverability
Email settings check
Check the most important email settings for a domain in one report. The tool checks MX, SPF, DMARC and DKIM settings and gives an overall score for the technical health of the domain’s email configuration.
A DKIM selector is often something like default, mail,
selector1 or google. If you leave the selector empty,
NetTools tries common DKIM selectors automatically.
Enter a domain and start the check.
Guide · email health report
What does the email settings check do?
The email settings check analyzes the most important email, DNS and TLS transport security settings for a domain in one report. The core checks cover MX, SPF, DMARC and DKIM. Additional checks extend the report with DNSSEC, CAA, MTA-STS and TLS-RPT results.
The goal is to provide a clear overview of whether the domain can receive email, whether sender authentication is configured correctly and whether email TLS transport and related reporting have been strengthened.
SPF
SPF defines which servers are allowed to send email for the domain. A strict SPF policy helps reduce unauthorized use of the domain in email.
DMARC
DMARC defines how receivers should handle messages that fail SPF or DKIM checks. It also enables reporting.
DKIM
DKIM cryptographically signs outgoing messages. The check looks up the public DKIM key for the selected DKIM selector.
DNSSEC
DNSSEC improves trust in DNS responses by validating that answers have not been modified in transit. It also supports DNS-based security mechanisms.
CAA
CAA defines which certificate authorities may issue TLS/SSL certificates for the domain. This reduces the risk of unintended certificate issuance.
MTA-STS
MTA-STS tells sending mail servers that email must be delivered over TLS to approved MX hosts.
TLS-RPT
TLS-RPT defines where SMTP TLS delivery reports are sent. It helps detect MTA-STS and TLS delivery issues.
Why are these checks combined?
Reliable email delivery and security do not depend on a single DNS record. MX defines where email is delivered, SPF and DKIM help prove the sender, DMARC defines how failed messages are handled and DNSSEC strengthens DNS integrity.
CAA supports certificate control, MTA-STS strengthens TLS transport for email and TLS-RPT makes delivery problems visible through reporting. Together, these checks give a much broader view of domain email security than an SPF or DMARC check alone.
How to interpret the score
The total score combines the original email configuration checks and the additional checks. The core report shows MX, SPF, DMARC and DKIM. The additional checks show DNSSEC, CAA, MTA-STS and TLS-RPT separately.
A perfect score means that the checked settings exist and are formally valid. A lower score does not always mean email is broken, but it highlights settings that should be reviewed and improved.
Frequently asked questions
Does this replace the separate SPF, DMARC and DKIM tools?
No. The combined report summarizes the most important results, while the individual tools still provide a more focused view of each setting.
Is DNSSEC required for email?
No, but DNSSEC improves trust in DNS responses and strengthens DNS-based security mechanisms.
Why is CAA included in an email report?
Email TLS protection uses certificates. CAA helps control which certificate authorities may issue certificates for the domain.
What do MTA-STS and TLS-RPT add?
MTA-STS strengthens TLS transport for email, while TLS-RPT defines where TLS delivery issues are reported.