Email Deliverability Module¶
Module ID: email_deliverability | Type: Conditional (auto-detected) | Profiles: full, local
The Email Deliverability module checks SPF, DKIM, and DMARC DNS records for domains that have contact forms, helping ensure emails sent from the site are properly authenticated and less likely to land in spam.
What It Checks¶
| Check | What It Looks For |
|---|---|
| SPF record | v=spf1 TXT record on the domain |
| SPF mechanisms | Permitted senders, ~all vs -all |
| DKIM record | DKIM TXT records at common selectors |
| DMARC record | v=DMARC1 TXT record at _dmarc. subdomain |
| DMARC policy | p=none vs p=quarantine vs p=reject |
| Contact forms | Forms with email inputs that would trigger outbound email |
Scoring Breakdown¶
| Criterion | Deduction | Condition |
|---|---|---|
| No SPF record | -25 | No v=spf1 TXT record found |
| SPF too permissive | -10 | Uses +all or no all mechanism |
| No DMARC record | -25 | No v=DMARC1 record at _dmarc subdomain |
| DMARC policy is none | -10 | p=none provides no enforcement |
| No DKIM detected | -15 | No DKIM records at common selectors |
Auto-Detection Signals¶
<formtags in HTMLcontact-formin class or ID attributestype="email"on input elements
Example Findings¶
P0 CRITICAL: No DMARC record found
Without DMARC, there is no policy telling receiving servers how to
handle emails that fail SPF/DKIM checks. Attackers can spoof your domain.
Fix: Add a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
Effort: Low
P1 HIGH: SPF record uses ~all (softfail)
Softfail means SPF failures are flagged but not rejected. Consider
upgrading to -all (hardfail) once you have confirmed all senders.
Fix: Change ~all to -all in your SPF TXT record.
Effort: Low
Notes¶
This module performs DNS lookups, which requires network access. When running in offline mode (static HTML analysis only), the module notes that DNS checks were skipped and scores only the form detection portion.