Recommendations

1. 1Add rua=mailto:dmarc@yourdomain to your DMARC to receive reports▾

   Without DMARC reporting (rua=), you have no visibility into who is sending email on behalf of your domain. Aggregate reports let you detect spoofing attempts, identify misconfigured legitimate senders, and confidently tighten your policy over time.

2. 2Add an SPF record: yourdomain TXT "v=spf1 include:yourprovider -all"▾

   SPF tells receiving servers which IP addresses are allowed to send email for your domain. Without it, any server in the world can send emails appearing to come from you. Adding SPF with -all (hardfail) means unauthorized senders will be rejected.

3. 3Add MTA-STS to enforce TLS encryption for incoming emails▾

   Without MTA-STS, an attacker performing a man-in-the-middle attack can downgrade the connection between mail servers to plaintext, intercepting emails in transit. MTA-STS tells sending servers to only deliver via TLS with a valid certificate, preventing downgrade attacks.