BetaSPFWise is in beta, and every feature is free until it ends. More information after you sign up.

Email Authentication Report for microsoft.com

A live look at how microsoft.com configures SPF, DKIM, DMARC, and transport security, with the grade explained.

A+

microsoft.com

95 out of 100

Scanned: Jul 6, 2026, 1:13 PM

Why this score

The score starts at 100. Every issue below subtracts points based on how much it hurts your deliverability or lets someone spoof you.

Starting score
100
DKIMDKIM key is only 1024-bit.
-5
Your score
95
  • SPF

    Pass
    • Ends with -all (hardfail).

      A hardfail tells receivers to reject any sender that is not listed. This is the strongest and recommended setting.

    • SPF is present and correctly configured.

      A single SPF record was found, it stays within the DNS lookup limit, and it ends with a strong all qualifier.

    DNS lookups7 / 10
    v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.msft.net include:_spf1-meo.microsoft.com -all
    allQualifier
    -
  • DKIM

    -5Warning
    • -5

      DKIM key is only 1024-bit.

      A 1024-bit RSA key is below the modern standard of 2048-bit and is easier to break. Some receivers already ignore keys this short.

      How to fix: Rotate to a 2048-bit key with your email provider and publish the new public key.

    selectors
    selector2
    keyType
    rsa
    keyBits
    1024
    Read the DKIM guide
  • DMARC

    Pass
    • Policy is p=reject (strongest).

      Reject tells receivers to refuse any mail that fails authentication, the strongest protection against spoofing.

    • Aggregate reporting is enabled.

      A rua address is set, so you receive daily reports showing every source that sends as your domain.

    • DMARC is present and enforced.

      A valid DMARC record was found with an enforcing policy, so receivers act on mail that fails authentication.

    v=DMARC1; p=reject; pct=100; rua=mailto:itex-rua@microsoft.com; ruf=mailto:itex-ruf@microsoft.com; fo=1
    policy
    reject
    subdomainPolicy
    reject
    pct
    100
    rua
    mailto:itex-rua@microsoft.com
    adkim
    r
    aspf
    r
  • MX

    Pass
    • MX is configured (1 mail server(s)).

      Your domain has MX records and every listed mail server resolves to an IP address, so it can receive mail.

    mxHosts
    microsoft-com.mail.protection.outlook.com (10)
    mxCount
    1
  • Blacklist

    Pass
    • Not on any checked blocklist.

      Your mail server IPs were not found on the public blocklists we checked. Reputation can change, so it is worth monitoring over time.

    ipsChecked
    52.101.50.10, 52.101.9.5, 52.101.41.183
    blocklists
    bl.spamcop.net, dnsbl.sorbs.net

Optional enhancements

Advanced, nice-to-have features. Setting these up (or not) does not change your grade.

  • DNSSEC

    Optional
    • DNSSEC is not enabled.

      DNSSEC is optional, but it protects against DNS spoofing by letting resolvers confirm your records are authentic. Most domains still do not use it.

      How to fix: If your DNS provider and registrar support it, enable DNSSEC to protect your domain from DNS tampering.

  • MTA-STS

    Pass
    • MTA-STS is enforcing.

      Your MTA-STS policy is in enforce mode, so sending servers refuse to deliver to your domain over an untrusted or unencrypted connection.

    mode
    enforce
    maxAge
    604800
  • TLS-RPT

    Pass
    • TLS reporting is enabled.

      Your TLS-RPT record is valid, so receivers can report TLS delivery failures to you.

    v=TLSRPTv1;rua=https://tlsrpt.azurewebsites.net/report
    rua
    https://tlsrpt.azurewebsites.net/report
  • BIMI

    Optional
    • BIMI is not set up.

      BIMI is optional. It shows your logo next to your emails in supporting inboxes, but it needs an enforced DMARC policy and, for Gmail and Apple Mail, a Verified Mark Certificate (VMC).

      How to fix: With DMARC at quarantine or reject, publish a BIMI TXT record at default._bimi pointing to a square SVG logo, and add a VMC to display it in Gmail and Apple Mail.

    Read the BIMI guide

Below is a live view of the email authentication records published for microsoft.com. Technology brands are among the most impersonated in phishing, which makes the SPF, DKIM, and DMARC configuration on a domain like this worth understanding in detail.

How to read the grade

Everything above is computed live from the records microsoft.com publishes right now. A strong result means SPF authorizes the correct senders, DKIM signs outgoing mail with a valid key, and DMARC sets a policy that instructs receivers on how to handle failures. Where a check is weak, the report shows the exact record involved so the gap is easy to understand.

About this report

This report is generated from publicly available DNS records for microsoft.com and is provided for informational and educational purposes only. SPFWise is not affiliated with, endorsed by, or connected to the owner of microsoft.com. The records shown are the same ones any mail server can query, and the grade updates automatically as they change.

Want the same breakdown for your own domain? Run a free scan to get an identical grade along with the exact records to fix anything that is weak.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Guides to fix common issues