All data shown is public and sourced from DNS.
Last checked less than a minute ago
Your domain has basic email authentication in place. Consider strengthening your configuration for better protection.
nhs.uk enforces a strict DMARC reject policy, instructing receivers to block unauthenticated emails. SPF is correctly configured with a strict policy (-all), specifying which servers may send on its behalf. A few improvements would strengthen nhs.uk's email authentication posture.
45 / 50 points
DMARC record is valid and configured correctly.
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:[email protected],mailto:[email protected]
Policy (p)
reject
DKIM Alignment (adkim)
Strict (s)
SPF Alignment (aspf)
Strict (s)
Strict mode: The DKIM signature's domain must exactly match the "From" header domain.
Strict mode: The SPF "Return-Path" domain must exactly match the "From" header domain.
Note: When alignment parameters are not specified, DMARC defaults to relaxed mode for both DKIM and SPF alignment.
Verification successful
Verification successful
You can add our monitoring system alongside your existing setup. DMARC supports multiple mailto: addresses, giving you additional visibility and backup reporting.
0 / 20 points
No BIMI Record Found
Publish a TXT record at default._bimi.nhs.uk with v=BIMI1, logo URL (l=) and optional verified mark certificate (a=).
30 / 30 points
SPF record is valid.
v=spf1 ip4:195.104.77.0/23 ip4:10.176.129.120 ip4:10.228.178.230 ip4:194.72.83.215 ip4:194.72.83.216 ip4:194.155.93.52/31 include:esa1.hc1668-91.c3s2.iphmx.com include:esa2.hc1668-91.c3s2.iphmx.com include:spf.protection.outlook.com include:_spf.nhs.net include:spf.mandrillapp.com -all
Syntax Check
OK
DNS Lookup Count
6 / 10 max
Root-level mechanisms requiring DNS queries: 5.
Void Lookups
0 / 2 max
Fail: Reject emails from unauthorized servers (recommended for production)
Grouped by DNS record source (includes and sub-includes)
This record also contains:
This record also contains:
SPF record found
nhs.uk
TXT Record
v=spf1 ip4:139.138.61.16 -all
Processed recursively per RFC 7208
SPF record found
nhs.uk
TXT Record
v=spf1 ip4:139.138.60.154 -all
Processed recursively per RFC 7208
SPF record found
nhs.uk
TXT Record
v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/15 ip4:52.102.0.0/16 ip4:52.103.0.0/17 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all
Processed recursively per RFC 7208
SPF record found
nhs.uk
TXT Record
v=spf1 ip4:213.161.89.71 ip4:213.161.89.72 ip4:213.161.89.73 ip4:213.161.89.103 ip4:213.161.89.104 ip4:213.161.89.105 ip4:155.231.210.221 ip4:155.231.210.253 ip4:51.140.243.175 ip4:51.132.11.4 ip4:10.13.29.0/26 ip4:10.13.31.0/26 ip4:10.13.29.96/27 ip4:10.13.31.96/27 ip4:155.231.208.0/27 ip4:155.231.208.128/27 include:spf.protection.outlook.com -all
Processed recursively per RFC 7208
Circular reference detected
_spf.nhs.net
SPF record found
nhs.uk
TXT Record
v=spf1 ip4:198.2.128.0/24 ip4:198.2.132.0/22 ip4:198.2.136.0/23 ip4:198.2.145.0/24 ip4:198.2.186.0/23 ip4:205.201.131.128/25 ip4:205.201.134.128/25 ip4:205.201.136.0/23 ip4:205.201.139.0/24 ip4:198.2.177.0/24 ip4:198.2.178.0/23 ip4:198.2.180.0/24 ~all
Processed recursively per RFC 7208
0 / 10 points
TLS-RPT Not Configured
Publish a TXT record at _smtp._tls.nhs.uk with v=TLSRPTv1 and reporting URI (rua=).
MTA-STS Not Configured
Publish a TXT record at _mta-sts.nhs.uk with v=STSv1 and policy ID (id=).
The check you just ran shows your current configuration. But DNS records change, sometimes without you knowing. A well-meaning IT change, a third-party provider update, or an unauthorized modification can break your email delivery overnight.
Configuration Drift
IT changes that accidentally break authentication
Provider Updates
Third-party services changing their SPF includes
Unauthorized Changes
Attackers modifying records to send as you
DMARCTrust monitors your DNS records continuously. When something changes, you get an email alert with exactly what changed and why it matters. No more surprises when customers complain their emails bounced.
Run a free email authentication check (DMARC, SPF, BIMI).
We will generate a shareable URL for your domain.
Try popular examples: google.com, amazon.com, booking.com
Discover how other organizations configure their email authentication
Frequently checked
Reject policy + valid SPF
Also using reject
Showing domains checked by our users. All data is from public DNS records.
We analyze your domain's email authentication: DMARC policy and alignment, SPF record and includes, and BIMI logo and certificate status when present.
Healthy authentication improves delivery and blocks spoofing. Major inbox providers increasingly expect DMARC and aligned SPF/DKIM from senders.
This check shows a snapshot. With DMARCTrust, you get continuous monitoring of your DMARC reports and DNS records, with instant alerts when something changes.
We use cookies to enhance your experience, analyze site traffic, and for marketing purposes. You can choose which cookies to allow. Learn more in our Cookie Policy.
Manage your cookie preferences below. Essential cookies are always active as they are required for the website to function.
Required for the website to function. Cannot be disabled.
Help us understand how visitors interact with our website.
Used to measure advertising effectiveness and show relevant ads.
Learn more about how we use cookies in our Cookie Policy.