Security Grade Checker

How strong is your domain's security posture? Enter a domain and we'll run 15 checks across DMARC, SPF, DKIM, SSL, MTA-STS, DNSSEC and CAA, then hand back a clear A+ to F grade with the fixes that would move it up.

What is a Security Grade?

A Security Grade is a single letter (A+ through F) that summarises how well a domain is protected across every externally observable security signal. It is designed to do the work that fifteen separate protocol checkers can't: answer the question “is my domain secure?” in one glance.

Under the hood the grade rolls up checks across email authentication (DMARC, SPF, DKIM), transport security (SSL, MTA-STS, TLS-RPT), DNS integrity (DNSSEC, CAA), and domain registration hygiene. You see the grade. Below it, you see the specific improvements that would raise it.

What this tool checks

DMARC: record presence, policy (none / quarantine / reject), subdomain policy, pct, alignment modes, and rua reporting.
SPF: record presence, all-qualifier (-all / ~all), and DNS lookup count.
DKIM: whether DKIM signing is detected for the domain.
SSL/TLS: certificate validity and days remaining before expiry.
MTA-STS: whether a policy record exists at _mta-sts.domain.
TLS-RPT: whether a reporting record exists at _smtp._tls.domain.
DNSSEC: whether the zone is cryptographically signed.
CAA: whether a record restricts which certificate authorities can issue for the domain.
Domain registration: RDAP lookup for registration status, transfer lock, and days until expiry.

Why a grade instead of a score?

Numbers feel precise but aren't actionable. A grade tells you where you stand compared to what “good” looks like, without forcing you to memorise a scoring system. An A is strong. A C needs work. An F is actively risky. Pair that with the ranked list of improvements underneath and you have everything you need to prioritise.

For MSPs: a language your clients understand

Clients don't want to hear about SPF qualifiers or TLS reporting. They want to know whether their domain is safe. A letter grade from an external audit is a language the whole room understands, from the board to the helpdesk. Run a check in a meeting, show the grade, and the conversation shifts from “why do I need this?” to “how do we move from C to A?”

Need continuous monitoring?

This free tool is a point-in-time scan. Certificates expire, DNS records drift, DMARC policies get relaxed. With continuous monitoring in ShieldMarc, you are alerted the moment your grade drops, see the trend across all your domains, and can export white-label reports. Join the early access list to get onboarded before launch with up to 90 days free.

Frequently Asked Questions

What counts as a good grade?

A or A+ means your domain meets the strong end of modern email and DNS security practice: enforced DMARC, restrictive SPF, valid SSL, and hardening like MTA-STS, DNSSEC and CAA in place. B is solid but with room to harden. C and below mean there are gaps an attacker could use right now, and the fix list will show you which ones matter most.

How is this different from a DMARC checker?

A DMARC checker only evaluates your DMARC and SPF records. The Security Grade looks at your entire externally-observable security posture: DMARC, SPF, DKIM, SSL/TLS certificates, MTA-STS, TLS-RPT, DNSSEC, CAA records, and domain registration status. One grade, one list of fixes, instead of running eight different tools and stitching the results together.

How often should I re-check?

Check after any DNS, mail-server or registrar change. For continuous tracking with alerts when your grade slips, join the early access list. Certificate renewals, DNS edits, and policy tweaks can all shift the grade.

Is my data stored?

Results are cached in memory for up to five minutes so repeat scans return fast. We don't permanently store the domains you enter in the free tool. If you sign up, your organisation's domains are stored against your account so we can run ongoing checks.