IT Operations & Cybersecurity Encyclopedia
MXToolbox email and DNS security checks guide
MXToolbox can help IT teams quickly inspect public email and DNS configuration issues, including MX records, SPF, DKIM, DMARC, DNS lookup results, blacklist status, and SMTP behavior. The value comes from turning those checks into verified fixes, change records, and evidence for email security operations.
Why it matters
Use public checks to find email and DNS exposure
Email security depends heavily on public DNS records and domain authentication. A small mistake in MX, SPF, DKIM, DMARC, or DNS can affect mail flow, deliverability, spoofing protection, phishing resilience, and vendor integrations.
MXToolbox is useful for quick external validation, but it should not be treated as the only source of truth. Findings should be confirmed against DNS hosting, Microsoft 365, mail gateway, security platform, and change-management records.
This guide is practical operations guidance. It does not replace Microsoft documentation, DNS provider documentation, email security architecture, cybersecurity audit, incident response planning, or managed IT support.
Practical rule: Every email and DNS security finding should identify the affected domain, current record, expected record, business impact, owner, change window, validation method, and post-change evidence.
Review scope
MXToolbox email and DNS review areas
MX and mail routing
Review MX targets, priority, stale mail exchangers, direct-to-Microsoft 365 routing, gateway routing, and legacy hosts.
SPF authorization
Validate authorized senders, lookup count, broad mechanisms, vendor includes, deprecated senders, and SPF alignment.
DKIM signing
Check DKIM selectors, signing status, DNS records, key rotation, third-party senders, and test-message authentication results.
DMARC enforcement
Review policy mode, reporting addresses, alignment, pct setting, quarantine or reject readiness, and exception handling.
DNS hygiene
Inspect TXT, CNAME, A, NS, SOA, TTL, duplicate records, stale vendor records, and DNS hosting ownership.
Blacklist and SMTP checks
Review blacklist status, reverse DNS, SMTP banner, TLS posture, mail flow symptoms, and delisting evidence.
Review matrix
MXToolbox email and DNS security matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| MX | Review mail exchanger targets, priority, gateway path, Microsoft 365 routing, stale hosts, and unauthorized mail paths. | Where does inbound mail actually go? | MXToolbox result, DNS export, Microsoft 365/gateway setting, and change notes. |
| SPF | Review authorized senders, include chains, lookup count, broad mechanisms, deprecated vendors, and alignment with sending systems. | Can unauthorized systems send as the domain? | SPF lookup result, sender inventory, DNS record, and vendor validation. |
| DKIM | Review selector records, signing status, key health, third-party signing, and message header authentication results. | Are legitimate messages cryptographically signed? | DKIM lookup, selector list, test message header, and signing configuration. |
| DMARC | Review policy, reporting addresses, alignment, pct, subdomain treatment, enforcement readiness, and exceptions. | What happens when authentication fails? | DMARC lookup, aggregate report summary, policy decision, and enforcement plan. |
| DNS | Review TXT, CNAME, A, NS, SOA, TTL, duplicate records, stale vendors, and ownership. | Are public records accurate and controlled? | DNS export, registrar/DNS owner, change record, and stale-record cleanup list. |
| Blacklist | Review current listings, mail server reputation, reverse DNS, SMTP banner, TLS behavior, and delisting workflow. | Is mail delivery affected by reputation or configuration? | Blacklist result, delisting notes, SMTP test, provider ticket, and closure evidence. |
Step-by-step review
MXToolbox email and DNS checks runbook
Inventory sending domains
List every business, alias, parked, marketing, support, and vendor-sending domain before testing public records.
Check MX and DNS records
Use MXToolbox to validate MX, TXT, CNAME, A, NS, SOA, TTL, and DNS consistency against the expected mail architecture.
Validate SPF, DKIM, and DMARC
Confirm authorized senders, DKIM selectors, DMARC policy, reporting, alignment, and enforcement progress.
Review blacklist and SMTP results
Check public blocklists, SMTP behavior, reverse DNS, TLS posture, provider reputation issues, and delisting requirements.
Remediate with change control
Assign owners, document old and new records, use safe TTL planning, coordinate vendor changes, and validate mail flow after changes.
Capture evidence and monitor
Save before-and-after results, DNS exports, test message headers, DMARC report notes, and next review dates.
Common risks
Common MXToolbox and DNS security gaps
SPF includes stale vendors
Old marketing, CRM, ticketing, or mail relay services can remain authorized long after they are no longer used.
DMARC stays in monitor mode
A p=none policy can be useful during rollout, but it does not enforce quarantine or reject decisions.
DKIM selectors are missing
Unsigned or incorrectly signed mail can reduce authentication confidence and complicate DMARC enforcement.
DNS ownership is unclear
If nobody owns DNS change control, email security fixes can be delayed or applied incorrectly.
Blacklist checks lack follow-up
A listing should trigger root-cause review, provider escalation, remediation, and closure evidence.
Parked domains are ignored
Unused domains should still have appropriate DNS and DMARC posture so they cannot be abused for spoofing.
Related support
Where IT Perfection can help
IT Perfection can help configure Microsoft 365 mail flow, DNS records, SPF, DKIM, DMARC, mail gateway routing, monitoring, and managed IT change control.
OC Security Audit can help review email authentication evidence, Microsoft 365 security posture, phishing exposure, domain spoofing risk, and audit readiness.
Created by Ali Hassani, CISO
Professional email and DNS security support
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Email authentication needs evidence, not guessing
A disciplined review helps reduce spoofing risk, improve deliverability, clean up stale vendors, strengthen Microsoft 365 mail security, and give leadership clear proof of remediation.
FAQ
MXToolbox email and DNS checks FAQ
Is MXToolbox enough to secure email?
No. MXToolbox is useful for external validation, but findings should be confirmed against DNS hosting, Microsoft 365, mail gateway configuration, vendor settings, and message headers.
What should be checked first?
Start with domain inventory, MX records, SPF, DKIM, DMARC, DNS ownership, blacklist status, and actual mail flow architecture.
What evidence should be saved?
Save lookup results, DNS exports, old and new records, test message headers, DMARC report summaries, change tickets, vendor confirmations, and post-change validation.
Should DMARC immediately be set to reject?
Not always. DMARC enforcement should be planned after sender inventory, SPF and DKIM validation, report review, and exception handling so legitimate mail is not disrupted.