IT Operations & Cybersecurity Encyclopedia

MXToolbox email and DNS security checks guide

MXToolbox can help IT teams quickly inspect public email and DNS configuration issues, including MX records, SPF, DKIM, DMARC, DNS lookup results, blacklist status, and SMTP behavior. The value comes from turning those checks into verified fixes, change records, and evidence for email security operations.

MXToolboxEmail securityDNS checksSPF DKIM DMARCMicrosoft 365

Why it matters

Use public checks to find email and DNS exposure

Email security depends heavily on public DNS records and domain authentication. A small mistake in MX, SPF, DKIM, DMARC, or DNS can affect mail flow, deliverability, spoofing protection, phishing resilience, and vendor integrations.

MXToolbox is useful for quick external validation, but it should not be treated as the only source of truth. Findings should be confirmed against DNS hosting, Microsoft 365, mail gateway, security platform, and change-management records.

This guide is practical operations guidance. It does not replace Microsoft documentation, DNS provider documentation, email security architecture, cybersecurity audit, incident response planning, or managed IT support.

Practical rule: Every email and DNS security finding should identify the affected domain, current record, expected record, business impact, owner, change window, validation method, and post-change evidence.

Review scope

MXToolbox email and DNS review areas

MX and mail routing

Review MX targets, priority, stale mail exchangers, direct-to-Microsoft 365 routing, gateway routing, and legacy hosts.

SPF authorization

Validate authorized senders, lookup count, broad mechanisms, vendor includes, deprecated senders, and SPF alignment.

DKIM signing

Check DKIM selectors, signing status, DNS records, key rotation, third-party senders, and test-message authentication results.

DMARC enforcement

Review policy mode, reporting addresses, alignment, pct setting, quarantine or reject readiness, and exception handling.

DNS hygiene

Inspect TXT, CNAME, A, NS, SOA, TTL, duplicate records, stale vendor records, and DNS hosting ownership.

Blacklist and SMTP checks

Review blacklist status, reverse DNS, SMTP banner, TLS posture, mail flow symptoms, and delisting evidence.

Review matrix

MXToolbox email and DNS security matrix

AreaWhat to verifyQuestions to answerEvidence
MXReview mail exchanger targets, priority, gateway path, Microsoft 365 routing, stale hosts, and unauthorized mail paths.Where does inbound mail actually go?MXToolbox result, DNS export, Microsoft 365/gateway setting, and change notes.
SPFReview authorized senders, include chains, lookup count, broad mechanisms, deprecated vendors, and alignment with sending systems.Can unauthorized systems send as the domain?SPF lookup result, sender inventory, DNS record, and vendor validation.
DKIMReview selector records, signing status, key health, third-party signing, and message header authentication results.Are legitimate messages cryptographically signed?DKIM lookup, selector list, test message header, and signing configuration.
DMARCReview policy, reporting addresses, alignment, pct, subdomain treatment, enforcement readiness, and exceptions.What happens when authentication fails?DMARC lookup, aggregate report summary, policy decision, and enforcement plan.
DNSReview TXT, CNAME, A, NS, SOA, TTL, duplicate records, stale vendors, and ownership.Are public records accurate and controlled?DNS export, registrar/DNS owner, change record, and stale-record cleanup list.
BlacklistReview current listings, mail server reputation, reverse DNS, SMTP banner, TLS behavior, and delisting workflow.Is mail delivery affected by reputation or configuration?Blacklist result, delisting notes, SMTP test, provider ticket, and closure evidence.

Step-by-step review

MXToolbox email and DNS checks runbook

1

Inventory sending domains

List every business, alias, parked, marketing, support, and vendor-sending domain before testing public records.

2

Check MX and DNS records

Use MXToolbox to validate MX, TXT, CNAME, A, NS, SOA, TTL, and DNS consistency against the expected mail architecture.

3

Validate SPF, DKIM, and DMARC

Confirm authorized senders, DKIM selectors, DMARC policy, reporting, alignment, and enforcement progress.

4

Review blacklist and SMTP results

Check public blocklists, SMTP behavior, reverse DNS, TLS posture, provider reputation issues, and delisting requirements.

5

Remediate with change control

Assign owners, document old and new records, use safe TTL planning, coordinate vendor changes, and validate mail flow after changes.

6

Capture evidence and monitor

Save before-and-after results, DNS exports, test message headers, DMARC report notes, and next review dates.

Common risks

Common MXToolbox and DNS security gaps

SPF includes stale vendors

Old marketing, CRM, ticketing, or mail relay services can remain authorized long after they are no longer used.

DMARC stays in monitor mode

A p=none policy can be useful during rollout, but it does not enforce quarantine or reject decisions.

DKIM selectors are missing

Unsigned or incorrectly signed mail can reduce authentication confidence and complicate DMARC enforcement.

DNS ownership is unclear

If nobody owns DNS change control, email security fixes can be delayed or applied incorrectly.

Blacklist checks lack follow-up

A listing should trigger root-cause review, provider escalation, remediation, and closure evidence.

Parked domains are ignored

Unused domains should still have appropriate DNS and DMARC posture so they cannot be abused for spoofing.

Related support

Where IT Perfection can help

IT Perfection can help configure Microsoft 365 mail flow, DNS records, SPF, DKIM, DMARC, mail gateway routing, monitoring, and managed IT change control.

OC Security Audit can help review email authentication evidence, Microsoft 365 security posture, phishing exposure, domain spoofing risk, and audit readiness.

Created by Ali Hassani, CISO

Professional email and DNS security support

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Email authentication needs evidence, not guessing

A disciplined review helps reduce spoofing risk, improve deliverability, clean up stale vendors, strengthen Microsoft 365 mail security, and give leadership clear proof of remediation.

FAQ

MXToolbox email and DNS checks FAQ

Is MXToolbox enough to secure email?

No. MXToolbox is useful for external validation, but findings should be confirmed against DNS hosting, Microsoft 365, mail gateway configuration, vendor settings, and message headers.

What should be checked first?

Start with domain inventory, MX records, SPF, DKIM, DMARC, DNS ownership, blacklist status, and actual mail flow architecture.

What evidence should be saved?

Save lookup results, DNS exports, old and new records, test message headers, DMARC report summaries, change tickets, vendor confirmations, and post-change validation.

Should DMARC immediately be set to reject?

Not always. DMARC enforcement should be planned after sender inventory, SPF and DKIM validation, report review, and exception handling so legitimate mail is not disrupted.