Email authentication check

bbc.co.uk

This check reviews the domain's email authentication setup to help protect against spoofing and phishing.

All data is public, sourced from DNS Last checked about 7 hours ago
Needs attention

bbc.co.uk has email authentication in place, with important improvements still available.

bbc.co.uk has strong outbound authentication. Adding inbound transport security would complete the picture.

86 out of 110
1 of 4 checks passed
DMARC 45 / 50 · Optional SPF 21 / 30 · Optional BIMI 20 / 20 · Passed TLS 0 / 10 · Optional
Last checked about 7 hours ago
Compare with other domains
DMARC SPF BIMI TLS

DMARC

Optional

Domain-based Message Authentication

45 / 50

Strict reject policy enforced

DMARC record is valid and configured correctly.

_dmarc.bbc.co.uk TXT
v=DMARC1;p=reject;aspf=s;adkim=s;pct=100;fo=0;ri=86400; rua=mailto:[email protected];

Score breakdown

  • DMARC record published +10
  • Syntax valid +5
  • Reject policy (maximum protection) +20
  • Aggregate reporting (rua) configured and verified +10
  • Failure reporting (ruf) not configured (optional) 0 / 5

Configuration

Policy (p)
reject
DKIM alignment (adkim)
Strict (s)
SPF alignment (aspf)
Strict (s)
Subdomain policy (sp)
Inherits p=reject
Failure reporting (fo)
0

Reporting (RUA / RUF)

Aggregate reports Passed
mailto:[email protected]
External domain verification successful
Failure reports Optional
Not configured
Optional failure reporting is not configured
RFC 9989 note on p=reject
RFC 9989 cautions against p=reject for domains whose users post to mailing lists, and §7.4 requires receivers to treat p=reject as p=quarantine unless their own analysis justifies rejecting. For transactional or marketing-only domains, p=reject stays appropriate; mailbox domains should consider p=quarantine with sp=reject on non-sending subdomains.
Record uses tags removed by RFC 9989
RFC 9989 (May 2026) removed the pct tag. Use t=y for staged rollouts instead. RFC 9989 (May 2026) removed the ri tag. Receivers send aggregate reports daily regardless.

SPF

Optional

Sender Policy Framework

21 / 30

SPF record is valid with warnings

SPF record is valid but has warnings: Explicit '+' qualifier is redundant (it's the default) and can be removed from: include:spf.sis.bbc.co.uk, include:spf.messagelabs.com

bbc.co.uk TXT
v=spf1 ip4:212.58.224.0/19 ip4:132.185.0.0/16 +include:spf.sis.bbc.co.uk +include:spf.messagelabs.com ~all

Score breakdown

  • SPF record published +10
  • Syntax valid +5
  • Soft fail policy (~all) +6
  • Configuration warnings present 0 / 5

Configuration

Default policy
~all (soft fail)
DNS lookups
4 / 10 max
Void lookups
0 / 2 max
Syntax check
OK

DNS lookup detail

Each mechanism that may trigger a DNS query at delivery time.

1 include: spf.sis.bbc.co.uk Valid

SPF record found

v=spf1 -all

Processed recursively per RFC 7208

2 include: spf.messagelabs.com Valid

SPF record found

v=spf1 include:nets1.spf.messagelabs.com include:nets2.spf.messagelabs.com ~all

Processed recursively per RFC 7208

3 include: nets1.spf.messagelabs.com Valid

SPF record found

v=spf1 ip4:85.158.136.0/21 ip4:193.109.254.0/23 ip4:194.106.220.0/23 ip4:195.245.230.0/23 ip4:95.131.104.0/21 ip4:46.226.48.0/21

Processed recursively per RFC 7208

4 include: nets2.spf.messagelabs.com Valid

SPF record found

v=spf1 ip4:216.82.240.0/20 ip4:67.219.240.0/20 ip4:117.120.16.0/21 ip4:103.9.96.0/22 ip4:35.228.216.85 ip4:146.148.116.76 ip4:34.141.160.224 ip4:34.70.158.162 ip4:34.74.74.140 ip4:34.83.159.189

Processed recursively per RFC 7208

Authorized IP addresses

bbc.co.uk

212.58.224.0/19 132.185.0.0/16

This record also contains

include:spf.sis.bbc.co.uk include:spf.messagelabs.com

include:nets1.spf.messagelabs.com

85.158.136.0/21 193.109.254.0/23 194.106.220.0/23 195.245.230.0/23 95.131.104.0/21 46.226.48.0/21

include:nets2.spf.messagelabs.com

216.82.240.0/20 67.219.240.0/20 117.120.16.0/21 103.9.96.0/22 35.228.216.85 146.148.116.76 34.141.160.224 34.70.158.162 34.74.74.140 34.83.159.189
SPF configuration warning
Explicit '+' qualifier is redundant (it's the default) and can be removed from: include:spf.sis.bbc.co.uk, include:spf.messagelabs.com

BIMI

Passed

Brand Indicators for Message Identification

20 / 20

Verified logo configured

BIMI record validated

default._bimi.bbc.co.uk TXT
v=BIMI1; l=https://vmc.digicert.com/ffc97feb-eec4-4634-888d-2ce5bfa3aabf.svg; a=https://vmc.digicert.com/ffc97feb-eec4-4634-888d-2ce5bfa3aabf.pem

Score breakdown

  • BIMI record published +5
  • BIMI record valid +5
  • Logo URL accessible and valid SVG +5
  • Verified Mark Certificate (VMC) valid +5

Configuration

Logo (l)
image/svg+xml
Mark certificate (a)
Valid PEM detected
Selector
default
Note
SVG content is not parsed, for safety

Assets

Logo URL
https://vmc.digicert.com/ffc97feb-eec4-4634-888d-2ce5bfa3aabf.svg
Valid
Mark certificate
https://vmc.digicert.com/ffc97feb-eec4-4634-888d-2ce5bfa3aabf.pem
Valid

TLS

Optional

Transport security · MTA-STS & TLS-RPT

0 / 10

Inbound transport protection not fully configured

MTA-STS and TLS-RPT are optional, but they protect inbound mail against transport downgrade attacks and give visibility into TLS delivery failures.

Score breakdown

  • TLS-RPT record configured (optional) 0 / 5
  • MTA-STS policy configured (optional) 0 / 5

Configuration

TLS-RPT
Not configured
MTA-STS
Not configured

Transport checks

TLS-RPT (reporting) Not configured

No TLS-RPT record found.

MTA-STS (policy) Not configured

No MTA-STS record found.

Protect inbound transport

Receiver Shield helps deploy, monitor, and safely enforce MTA-STS and TLS-RPT for bbc.co.uk.

Start monitoring

bbc.co.uk enforces a strict DMARC reject policy, instructing receivers to block unauthenticated emails. An SPF record is published but has warnings that could affect delivery. A few improvements would strengthen bbc.co.uk's email authentication posture.

Keep bbc.co.uk protected automatically

This check is a snapshot. DNS records drift when providers change, teams edit records, or unauthorized changes slip in. DMARCTrust watches the same authentication layer continuously and tells you when something moves.

DMARC report processing

Aggregate and failure DMARC reports are received, parsed, and turned into sender visibility without manual XML handling.

DNS change alerts

DNS checks run every 5 minutes for monitored domains, with email alerts when DMARC, SPF, BIMI, TLS-RPT, or MTA-STS records change.

Receiver Shield for inbound

Deploy, host, and safely enforce MTA-STS and TLS-RPT when this checker finds an inbound transport gap.

Start monitoring bbc.co.uk View plans First checked 5 months ago

Check another domain

Run a free email authentication check: DMARC, SPF, BIMI, TLS-RPT, and MTA-STS.

Try a popular example: google.com, amazon.com, booking.com
Explore

How other domains configure email authentication

Showing domains checked by our users. All data is from public DNS records.

Popular domains

Frequently checked

Well configured

Reject policy + valid SPF

Same policy

Also using reject

What we check

DMARC policy and alignment, SPF record and includes, BIMI logo and certificate, and inbound transport security with MTA-STS and TLS-RPT.

Why it matters

Healthy authentication improves delivery and blocks spoofing. Major inbox providers increasingly expect DMARC and aligned SPF or DKIM from senders.

What you get

Syntax, policy, reporting validation, include analysis, alignment interpretation, and clear setup guidance for every result.