Email authentication check

harrodsaviation.com

This check reviews the domain's email authentication setup to help protect against spoofing and phishing.

All data is public, sourced from DNS Last checked about 1 hour ago

Needs attention

harrodsaviation.com has email authentication in place, with important improvements still available.

Some protections are present, but tightening the policy, reporting, or sender authorization would improve resilience.

73 out of 110

0 of 4 checks passed

DMARC 42 / 50 · Optional SPF 26 / 30 · Optional BIMI 0 / 20 · Optional TLS 5 / 10 · Optional

Last checked about 1 hour ago

Compare with other domains

harrodsaviation.com DMARC SPF BIMI TLS

DMARC

Optional

Domain-based Message Authentication

42 / 50

Quarantine policy enabled

DMARC record is valid and configured correctly.

_dmarc.harrodsaviation.com TXT

v=DMARC1; p=quarantine; pct=25; adkim=r; aspf=r; rua=mailto:[email protected]; ruf=mailto:[email protected]

Score breakdown

DMARC record published +10
Syntax valid +5
Quarantine policy +12
Aggregate reporting (rua) configured and verified +10
Failure reporting (ruf) configured +5

Configuration

Policy (p): quarantine
DKIM alignment (adkim): Relaxed (r)
SPF alignment (aspf): Relaxed (r)
Subdomain policy (sp): Inherits p=quarantine

Reporting (RUA / RUF)

Aggregate reports Passed

mailto:[email protected]

External domain verification successful

Failure reports Passed

mailto:[email protected]

External domain verification successful

Record uses tags removed by RFC 9989

RFC 9989 (May 2026) removed the pct tag. Use t=y for staged rollouts instead.

SPF

Optional

Sender Policy Framework

26 / 30

SPF record is valid

SPF record is valid and complies with RFC 7208.

harrodsaviation.com TXT

v=spf1 ip4:77.221.161.133 include:_spf.fboone.aero include:spf.protection.outlook.com include:_spf.tacklephishing.com include:spf.UK.exclaimer.net include:servers.mcsv.net include:_spf.salesforce.com ~all

Score breakdown

SPF record published +10
Syntax valid +5
Soft fail policy (~all) +6
No configuration warnings +5

Configuration

Default policy: ~all (soft fail)
DNS lookups: 8 / 10 max
Void lookups: 0 / 2 max
Syntax check: OK

DNS lookup detail

Each mechanism that may trigger a DNS query at delivery time.

1 include: _spf.fboone.aero Valid cost 1

SPF record found

v=spf1 ip4:23.102.25.155 ip4:52.164.224.170 ip4:52.208.51.234 ip4:34.250.209.69 ip4:52.16.31.47 ip4:40.67.156.248 ip4:54.240.88.211 ip4:54.240.88.212 ip6:2a05:d018:e5e:bb00::/56 include:amazonses.com ~all

Processed recursively per RFC 7208

2 include: amazonses.com Amazon SES Valid cost 0

SPF record found

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 ip4:23.249.208.0/20 ip4:23.251.224.0/19 ip4:76.223.176.0/20 ip4:54.240.64.0/18 ip4:76.223.128.0/19 ip4:216.221.160.0/19 ip4:206.55.144.0/20 ip4:24.110.64.0/18 -all

Processed recursively per RFC 7208

3 include: spf.protection.outlook.com Microsoft 365 Valid cost 0

SPF record found

v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/15 ip4:52.102.0.0/16 ip4:52.103.0.0/17 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all

Processed recursively per RFC 7208

4 include: _spf.tacklephishing.com Valid cost 0

SPF record found

v=spf1 ip4:52.56.150.127/32 ip4:35.177.22.237/32 ip4:51.140.159.48/32 ip4:18.132.5.147/32 ip6:2600:1901:101::/64 -all

Processed recursively per RFC 7208

5 include: spf.UK.exclaimer.net Valid cost 0

SPF record found

v=spf1 ip4:51.140.37.132 ip4:51.141.5.228 ~all

Processed recursively per RFC 7208

6 include: servers.mcsv.net Mailchimp Valid cost 0

SPF record found

v=spf1 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.0.0/16 -all

Processed recursively per RFC 7208

7 include: _spf.salesforce.com Valid cost 1

SPF record found

v=spf1 exists:%{i}._spf.mta.salesforce.com -all

Processed recursively per RFC 7208

8 exists: %{i}._spf.mta.salesforce.com Macro cost 1

Dynamic SPF macro - counts as 1 potential lookup when evaluated at delivery time

SPF macro variables

%{i} = sender IP address

This mechanism uses SPF macros that are expanded when an email is received. The actual domain queried depends on the sender's IP address and other connection details.

Authorized IP addresses

harrodsaviation.com

77.221.161.133

This record also contains

include:_spf.fboone.aero include:spf.protection.outlook.com include:_spf.tacklephishing.com include:spf.UK.exclaimer.net include:servers.mcsv.net include:_spf.salesforce.com

include:_spf.fboone.aero

23.102.25.155 52.164.224.170 52.208.51.234 34.250.209.69 52.16.31.47 40.67.156.248 54.240.88.211 54.240.88.212 2a05:d018:e5e:bb00::/56

This record also contains

include:amazonses.com

include:amazonses.com

199.255.192.0/22 199.127.232.0/22 54.240.0.0/18 69.169.224.0/20 23.249.208.0/20 23.251.224.0/19 76.223.176.0/20 54.240.64.0/18 76.223.128.0/19 216.221.160.0/19 206.55.144.0/20 24.110.64.0/18

include:spf.protection.outlook.com

40.92.0.0/15 40.107.0.0/16 52.100.0.0/15 52.102.0.0/16 52.103.0.0/17 104.47.0.0/17 2a01:111:f400::/48 2a01:111:f403::/49 2a01:111:f403:8000::/51 2a01:111:f403:c000::/51 2a01:111:f403:f000::/52

include:_spf.tacklephishing.com

52.56.150.127/32 35.177.22.237/32 51.140.159.48/32 18.132.5.147/32 2600:1901:101::/64

include:spf.UK.exclaimer.net

51.140.37.132 51.141.5.228

include:servers.mcsv.net

205.201.128.0/20 198.2.128.0/18 148.105.0.0/16

BIMI

Optional

Brand Indicators for Message Identification

0 / 20

No BIMI record published

No BIMI record found for selector 'default'.

Score breakdown

BIMI record published (optional) 0 / 5

Configuration

Logo (l): Not configured
Mark certificate (a): Not configured
Selector: default
Note: SVG content is not parsed, for safety

BIMI is optional

BIMI usually matters after DMARC enforcement is working. Use it for brand display, not as a replacement for SPF or DMARC.

TLS

Optional

Transport security · MTA-STS & TLS-RPT

5 / 10

Inbound transport protection not fully configured

MTA-STS and TLS-RPT are optional, but they protect inbound mail against transport downgrade attacks and give visibility into TLS delivery failures.

Score breakdown

TLS-RPT record configured (optional) 0 / 5
MTA-STS policy configured +5

Configuration

TLS-RPT: Not configured
MTA-STS: Configured
MTA-STS policy ID: 20260401105012Z

Transport checks

TLS-RPT (reporting) Not configured

No TLS-RPT record found.

MTA-STS (policy) Configured

v=STSv1; id=20260401105012Z;

MTA-STS record is valid and configured correctly.

Protect inbound transport

Receiver Shield helps deploy, monitor, and safely enforce MTA-STS and TLS-RPT for harrodsaviation.com.

Start monitoring

harrodsaviation.com has a DMARC quarantine policy, directing unauthenticated emails to spam. SPF is published with a soft fail policy (~all), flagging unauthorized senders without blocking them. A few improvements would strengthen harrodsaviation.com's email authentication posture.

Keep harrodsaviation.com protected automatically

This check is a snapshot. DNS records drift when providers change, teams edit records, or unauthorized changes slip in. DMARCTrust watches the same authentication layer continuously and tells you when something moves.

DMARC report processing

Aggregate and failure DMARC reports are received, parsed, and turned into sender visibility without manual XML handling.

DNS change alerts

DNS checks run every 5 minutes for monitored domains, with email alerts when DMARC, SPF, BIMI, TLS-RPT, or MTA-STS records change.

Receiver Shield for inbound

Deploy, host, and safely enforce MTA-STS and TLS-RPT when this checker finds an inbound transport gap.

Start monitoring harrodsaviation.com View plans First checked 5 months ago

Check another domain

Run a free email authentication check: DMARC, SPF, BIMI, TLS-RPT, and MTA-STS.

Try a popular example: google.com, amazon.com, booking.com

Explore

How other domains configure email authentication

Showing domains checked by our users. All data is from public DNS records.

Popular domains

Frequently checked

Well configured

Reject policy + valid SPF

Same policy

Also using quarantine

What we check

DMARC policy and alignment, SPF record and includes, BIMI logo and certificate, and inbound transport security with MTA-STS and TLS-RPT.

Why it matters

Healthy authentication improves delivery and blocks spoofing. Major inbox providers increasingly expect DMARC and aligned SPF or DKIM from senders.

What you get

Syntax, policy, reporting validation, include analysis, alignment interpretation, and clear setup guidance for every result.