Skip to main content
Log in
CaptainDNS

Email Diagnostics

Tools to verify and validate your email authentication setup.

SPF
DKIM
DMARC
DMARCbis
BIMI
MTA-STS
TLS-RPT
DANE / TLSA

Deliverability

Email deliverability auditMail header analyzerEmail testerIP Blacklist CheckerDomain Blacklist CheckerSPF FlattenerDKIM Selector FinderSMTP/MX Tester

Secure & Monitor

Record generators, policy hosting and continuous monitoring.

Network & Web

Network tools, web page analysis and certificates.

IP Tools

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

IPv6 subnet calculator

Calculate IPv6 subnets, address ranges and reverse DNS entries.

Certificates & BIMI

BIMI logo lookup

Inspect a BIMI logo URL - format, metadata and live rendering - before rollout.

BIMI SVG converter

Convert any SVG to BIMI-compliant Tiny-PS format in seconds.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate - issuer, validity and SAN coverage - before you publish BIMI.

Web

Page size checker

Check if your page exceeds Google's 2 MB crawl limit.

Phishing URL Checker

Check if a URL is flagged as phishing or malware by 4 threat intelligence sources.

Redirect Checker

Analyze HTTP redirect chains

Domain Redirect

Redirect your domains with automatic HTTPS and 301/302 redirects.

Developer Tools

Text utilities and tools for everyday dev work.

Text

Transform and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Password generator

Generate strong random passwords and memorable passphrases instantly.

Developer

Encoding, hashing, regex and formatting for everyday dev work.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Hash Generator

Compute MD5, SHA-1, SHA-256 and SHA-512 hashes of any text.

URL encoder / decoder

Encode or decode text using percent-encoding (RFC 3986) right in your browser.

Regex Tester

Test a regular expression against text and visualize matches.

JSON / YAML Formatter

Format, validate and convert JSON and YAML in one click.

Email Security Observatory

Every week, we audit the email configuration (SPF, DKIM, DMARC, BIMI, MTA-STS, DANE and DNSSEC) of over 1,000 listed companies worldwide. Our scoring covers 9 major stock indices (from the S&P 500 and Nasdaq 100 to the Nikkei 225 and Hang Seng), providing a global view of email security practices. Explore results by index, country or company and track progress week over week.

Scan week: 2026-03-23 · 1601 companies analysed

  • The observatory monitors 1601 listed companies across 16 stock indices this week, with an average email security score of 42/100.
  • 0% of companies achieve a grade of A+ or A, while 60% receive a D or F.
  • 82.9% of companies have deployed DMARC, with 46.3% enforcing a strict reject policy.
  • SPF records are configured on 90% of monitored domains.
  • BIMI brand indicators are deployed by 9% of companies.
  • 1% enforce inbound email encryption via MTA-STS.
  • DNSSEC is active on 10.6% of domains, adding cryptographic validation to DNS queries.
  • The highest-scoring company this week is Beiersdorf with 90/100 (A).

DMARC reject

46.3%

742 / 1601

SPF strict (-all)

48%

768 / 1601

BIMI configured

9%

150 / 1601

MTA-STS enforce

1%

20 / 1601

DNSSEC enabled

10.6%

170 / 1601

Score distribution

0
A+
2
A
54
B
584
C
661
D
300
F

42

Average

46

Median

0

Min

90

Max

Rankings

Statistics

By index

South America

🇧🇷 Ibovespa

By country

Top 10

Grade
1Beiersdorfbeiersdorf.com90A
2CME Groupcmegroup.com86A
3ABN AMROabnamro.com82B
4Freseniusfresenius.com81B
5CrowdStrikecrowdstrike.com79B
6Tata Consultancy Servicestcs.com78B
7Accentureaccenture.com75+1B
8Heidelberg Materialsheidelbergmaterials.com75B
9Cincinnati Financialcinfin.com75B
10CaixaBankcaixabank.com75B

Why an email security observatory?

Email remains the primary vector for cyberattacks targeting businesses. Phishing, CEO fraud and business email compromise exploit weak or missing email authentication. Publicly listed companies are high-value targets because spoofed emails can move markets, trigger fraudulent transfers or damage investor confidence.

The observatory exists to:

  • Measure the real-world adoption of email security standards across major indices
  • Track how adoption evolves week after week
  • Identify common gaps and help prioritize remediation
  • Provide transparency on the email security posture of the world's largest listed companies

What standards are analyzed?

Outbound email security

StandardPurpose
SPFAuthorizes which servers can send email on behalf of the domain
DKIMCryptographically signs outgoing messages to prove authenticity
DMARCTells receivers how to handle messages that fail SPF/DKIM checks
BIMIDisplays the company's logo in recipients' inboxes after DMARC enforcement

Inbound email protection

StandardPurpose
MXDeclares the mail servers that receive email for the domain
MTA-STSEnforces TLS encryption for incoming email connections
DANE/TLSAPins TLS certificates in DNS for email transport verification

DNS security

StandardPurpose
DNSSECCryptographically signs DNS zones to prevent spoofing and cache poisoning

How the scoring works

Each domain is scored on a 100-point scale, divided into three pillars:

  1. Outbound security (up to 55 points) - SPF record quality, DKIM key strength, DMARC policy strictness, BIMI deployment
  2. Inbound protection (up to 25 points) - MX configuration, MTA-STS mode, DANE/TLSA records
  3. DNS hardening (up to 20 points) - DNSSEC chain validation

The final score maps to a letter grade: A+ (90+), A (80-89), B (65-79), C (50-64), D (30-49), F (below 30).

FAQ - Frequently asked questions

Q: What does the observatory measure?

A: The observatory analyzes email authentication records (SPF, DKIM, DMARC), brand protection (BIMI), transport security (MTA-STS, DANE/TLSA) and DNS security (DNSSEC) for each monitored domain.

Q: How is the score calculated?

A: The score is the sum of points across three pillars: outbound security (SPF, DKIM, DMARC, BIMI), inbound protection (MX, MTA-STS, DANE/TLSA) and DNS hardening (DNSSEC). Each standard contributes a weighted number of points.

Q: How often are companies scanned?

A: All domains are scanned once per week. The scan week is displayed on the dashboard.

Q: Which companies are monitored?

A: The observatory covers over 1,000 companies from 9 major global stock indices: S&P 500, Nasdaq 100, FTSE 100, CAC 40, DAX 40, Nikkei 225, Hang Seng, Nifty 50 and SSE 50.

Q: What is a good score?

A: A+ (90-100) indicates excellent email security. B (65-79) is acceptable but improvements exist. F (below 30) indicates significant gaps.

ToolPurpose
Email Domain CheckFull email authentication audit for any domain
SPF InspectorVerify and fix your SPF record
DKIM InspectorValidate your DKIM signature and key
DMARC InspectorConfigure and test your DMARC policy
MTA-STS CheckVerify your MTA-STS policy