Email Authentication Check

nhs.uk

This check reviews your domain's email authentication setup to help protect against spoofing and phishing.

DMARC SPF BIMI TLS-RPT MTA-STS

All data shown is public and sourced from DNS.

Last checked about 13 hours ago

0 out of 110
Good

nhs.uk domain score

Your domain has basic email authentication in place. Consider strengthening your configuration for better protection.

SPF
Sender Policy Framework
30 / 30
DMARC
Domain-based Message Authentication
45 / 50
BIMI
Brand Indicators for Message Identification
0 / 20
TLS
TLS Security (MTA-STS & TLS-RPT)
0 / 10

nhs.uk enforces a strict DMARC reject policy, instructing receivers to block unauthenticated emails. SPF is correctly configured with a strict policy (-all), specifying which servers may send on its behalf. A few improvements would strengthen nhs.uk's email authentication posture.

Curious how this compares? See the DMARC posture of the top 100 domains.

0

DMARC Check Results

45 / 50 points

Score Breakdown

DMARC record published
+10
Syntax valid
+5
Reject policy (maximum protection)
+20
Aggregate reporting (rua) configured and verified
+10
Forensic reporting (ruf) not configured (optional)
0 / 5

DMARC check passed: properly configured

DMARC record is valid and configured correctly.

_dmarc.nhs.uk TXT Entry:

v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:[email protected],mailto:[email protected]

Policy (p)

reject

DKIM Alignment (adkim)

Strict (s)

SPF Alignment (aspf)

Strict (s)

Understanding alignment modes

DKIM Alignment (adkim)

Strict mode: The DKIM signature's domain must exactly match the "From" header domain.

SPF Alignment (aspf)

Strict mode: The SPF "Return-Path" domain must exactly match the "From" header domain.

Note: When alignment parameters are not specified, DMARC defaults to relaxed mode for both DKIM and SPF alignment.

Reporting (RUA/RUF)

Aggregate Reports

Configured
[email protected]
[email protected]
External Domain Verification
[email protected]

Verification successful

[email protected]

Verification successful

Learn more about aggregate reports →

Forensic Reports

Not Configured
Learn more about forensic reports →

Add Our Monitoring System

You can add our monitoring system alongside your existing setup. DMARC supports multiple mailto: addresses, giving you additional visibility and backup reporting.

  • Automated DMARC report processing every 5 minutes
  • Track all sending sources and authentication results
  • Email alerts when your DNS records change
Start free monitoring
0

BIMI Check (default selector)

0 / 20 points

Score Breakdown

BIMI record published (optional)
0 / 5

No BIMI Record Found

Publish a TXT record at default._bimi.nhs.uk with v=BIMI1, logo URL (l=) and optional verified mark certificate (a=).

Create BIMI Record for nhs.uk
0

SPF Record Check Results

30 / 30 points

Score Breakdown

SPF record published
+10
Syntax valid
+5
Hard fail policy (-all)
+10
No configuration warnings
+5

SPF record is valid.

nhs.uk TXT SPF Entry:

v=spf1 ip4:195.104.77.0/23 ip4:10.176.129.120 ip4:10.228.178.230 ip4:194.72.83.215 ip4:194.72.83.216 ip4:194.155.93.52/31 include:esa1.hc1668-91.c3s2.iphmx.com include:esa2.hc1668-91.c3s2.iphmx.com include:spf.protection.outlook.com include:_spf.nhs.net include:spf.mandrillapp.com -all

Syntax Check

OK

DNS Lookup Count

6 / 10 max

Root-level mechanisms requiring DNS queries: 5.

Void Lookups

0 / 2 max

Default Policy

-all

Fail: Reject emails from unauthorized servers (recommended for production)

All Authorized IP Addresses

Grouped by DNS record source (includes and sub-includes)

nhs.uk (Root SPF Record)
195.104.77.0/23
10.176.129.120
10.228.178.230
194.72.83.215
194.72.83.216
194.155.93.52/31

This record also contains:

include:esa1.hc1668-91.c3s2.iphmx.com include:esa2.hc1668-91.c3s2.iphmx.com include:spf.protection.outlook.com - Microsoft 365 include:_spf.nhs.net include:spf.mandrillapp.com - Mailchimp Transactional
include:esa1.hc1668-91.c3s2.iphmx.com
139.138.61.16
include:esa2.hc1668-91.c3s2.iphmx.com
139.138.60.154
include:spf.protection.outlook.com | Microsoft 365
40.92.0.0/15
40.107.0.0/16
52.100.0.0/15
52.102.0.0/16
52.103.0.0/17
104.47.0.0/17
2a01:111:f400::/48
2a01:111:f403::/49
2a01:111:f403:8000::/51
2a01:111:f403:c000::/51
2a01:111:f403:f000::/52
include:_spf.nhs.net
213.161.89.71
213.161.89.72
213.161.89.73
213.161.89.103
213.161.89.104
213.161.89.105
155.231.210.221
155.231.210.253
51.140.243.175
51.132.11.4
10.13.29.0/26
10.13.31.0/26
10.13.29.96/27
10.13.31.96/27
155.231.208.0/27
155.231.208.128/27

This record also contains:

include:spf.protection.outlook.com - Microsoft 365
include:spf.mandrillapp.com | Mailchimp Transactional
198.2.128.0/24
198.2.132.0/22
198.2.136.0/23
198.2.145.0/24
198.2.186.0/23
205.201.131.0/24
205.201.134.128/25
205.201.136.0/23
205.201.139.0/24
198.2.177.0/24
198.2.178.0/23
198.2.180.0/24

DNS Lookup Details

1
include:
esa1.hc1668-91.c3s2.iphmx.com
Valid

SPF record found

Lookup cost: 0
Included by nhs.uk

TXT Record

v=spf1 ip4:139.138.61.16 -all

Processed recursively per RFC 7208

2
include:
esa2.hc1668-91.c3s2.iphmx.com
Valid

SPF record found

Lookup cost: 0
Included by nhs.uk

TXT Record

v=spf1 ip4:139.138.60.154 -all

Processed recursively per RFC 7208

3
include:
spf.protection.outlook.com | Microsoft 365
Valid

SPF record found

Lookup cost: 0
Included by nhs.uk

TXT Record

v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/15 ip4:52.102.0.0/16 ip4:52.103.0.0/17 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all

Processed recursively per RFC 7208

4
include:
_spf.nhs.net
Valid

SPF record found

Lookup cost: 1
Included by nhs.uk

TXT Record

v=spf1 ip4:213.161.89.71 ip4:213.161.89.72 ip4:213.161.89.73 ip4:213.161.89.103 ip4:213.161.89.104 ip4:213.161.89.105 ip4:155.231.210.221 ip4:155.231.210.253 ip4:51.140.243.175 ip4:51.132.11.4 ip4:10.13.29.0/26 ip4:10.13.31.0/26 ip4:10.13.29.96/27 ip4:10.13.31.96/27 ip4:155.231.208.0/27 ip4:155.231.208.128/27 include:spf.protection.outlook.com -all

Processed recursively per RFC 7208

5
include:
spf.protection.outlook.com | Microsoft 365
Error

Circular reference detected

Lookup cost: 1
Included by _spf.nhs.net
6
include:
spf.mandrillapp.com | Mailchimp Transactional
Valid

SPF record found

Lookup cost: 0
Included by nhs.uk

TXT Record

v=spf1 ip4:198.2.128.0/24 ip4:198.2.132.0/22 ip4:198.2.136.0/23 ip4:198.2.145.0/24 ip4:198.2.186.0/23 ip4:205.201.131.0/24 ip4:205.201.134.128/25 ip4:205.201.136.0/23 ip4:205.201.139.0/24 ip4:198.2.177.0/24 ip4:198.2.178.0/23 ip4:198.2.180.0/24 ~all

Processed recursively per RFC 7208

0

TLS Security

0 / 10 points

Score Breakdown

TLS-RPT record configured (optional)
0 / 5
MTA-STS policy configured (optional)
0 / 5

TLS-RPT (Reporting)

TLS-RPT Not Configured

Publish a TXT record at _smtp._tls.nhs.uk with v=TLSRPTv1 and reporting URI (rua=).

MTA-STS (Policy)

MTA-STS Not Configured

Publish a TXT record at _mta-sts.nhs.uk with v=STSv1 and policy ID (id=).

Protect inbound transport

You've checked your outbound authentication. But without MTA-STS and TLS-RPT, mail delivered to nhs.uk isn't protected against transport downgrade attacks. Receiver Shield helps you deploy, monitor, and safely enforce transport security.

Start Monitoring

Know when your DNS records change

The check you just ran shows your current configuration. But DNS records change, sometimes without you knowing. A well-meaning IT change, a third-party provider update, or an unauthorized modification can break your email delivery overnight.

Configuration Drift

IT changes that accidentally break authentication

Provider Updates

Third-party services changing their SPF includes

Unauthorized Changes

Attackers modifying records to send as you

DMARCTrust monitors your DNS records continuously. When something changes, you get an email alert with exactly what changed and why it matters. No more surprises when customers complain their emails bounced.

Monitor nhs.uk free

Email Security Configuration

How nhs.uk configures email authentication

DMARC Domain Policy
Configured
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:[email protected],mailto:[email protected]
p=reject DKIM: strict SPF: strict Reports enabled
SPF Sender Authorization
Configured
v=spf1 ip4:195.104.77.0/23 ip4:10.176.129.120 ip4:10.228.178.230 ip4:194.72.83.215 ip4:194.72.83.216 ip4:194.155.93.52/31 include:esa1.hc1668-91.c3s2.iphmx.com include:esa2.hc1668-91.c3s2.iphmx.com include:spf.protection.outlook.com include:_spf.nhs.net include:spf.mandrillapp.com -all
-all 5 includes 6 IPs
BIMI Brand Indicator
Not set
No BIMI record configured for this domain

Change History

Monitoring started April 06, 2026

Configuration changes will appear here when detected

Check Another Domain

Run a free email authentication check (DMARC, SPF, BIMI).

We will generate a shareable URL for your domain.

Try popular examples: google.com, amazon.com, booking.com

Explore other domains

Discover how other organizations configure their email authentication

Popular Domains

Frequently checked

Well-Configured

Reject policy + valid SPF

Same Policy

Also using reject

Showing domains checked by our users. All data is from public DNS records.

About This Checker

What we check

We analyze your domain's email authentication: DMARC policy and alignment, SPF record and includes, and BIMI logo and certificate status when present.

Why it matters

Healthy authentication improves delivery and blocks spoofing. Major inbox providers increasingly expect DMARC and aligned SPF/DKIM from senders.

Included features

  • DMARC syntax, policy, and reporting validation
  • SPF record evaluation and include analysis
  • DKIM/SPF alignment interpretation
  • BIMI record and VMC detection
  • Clear setup and remediation guidance

Monitor your email authentication 24/7

This check shows a snapshot. With DMARCTrust, you get continuous monitoring of your DMARC reports and DNS records, with instant alerts when something changes.

Start monitoring nhs.uk View Plans