BetaSPFWise is in beta, and every feature is free until it ends. More information after you sign up.

Email Authentication Report for notion.so

A live look at how notion.so configures SPF, DKIM, DMARC, and transport security, with the grade explained.

A

notion.so

85 out of 100

Scanned: Jul 6, 2026, 1:25 PM

Why this score

The score starts at 100. Every issue below subtracts points based on how much it hurts your deliverability or lets someone spoof you.

Starting score
100
SPFEnds with ~all (softfail).
-5
DMARCPolicy is p=quarantine.
-5
MXNo MX records found.
-5
Your score
85
  • SPF

    -5Pass
    • -5

      Ends with ~all (softfail).

      A softfail asks receivers to accept mail from unlisted senders but flag it, so spoofed messages can still reach the inbox.

      How to fix: Move to -all after confirming that all of your senders are included, so unauthorized mail is rejected.

    DNS lookups0 / 10
    v=spf1 ~all
    allQualifier
    ~
  • DKIM

    Warning
    • No DKIM record found at common selectors.

      DKIM selectors cannot be listed from DNS, so we checked the widely used ones and found none for notion.so. Your mail may still sign with a custom selector, but if it does not, receivers cannot confirm your messages were not tampered with in transit.

      How to fix: Enable DKIM signing in your email provider, then publish the selector TXT record it gives you at <selector>._domainkey.notion.so.

    selectorsChecked
    47
    Read the DKIM guide
  • DMARC

    -5Pass
    • -5

      Policy is p=quarantine.

      Quarantine sends failing mail to the spam folder rather than rejecting it. That is good protection, but not the strongest.

      How to fix: Advance to p=reject once you are confident that every legitimate source passes.

    • Aggregate reporting is enabled.

      A rua address is set, so you receive daily reports showing every source that sends as your domain.

    • DMARC is present and enforced.

      A valid DMARC record was found with an enforcing policy, so receivers act on mail that fails authentication.

    v=DMARC1; p=quarantine; pct=100; rua=mailto:re+1b3a27dd30bc@inbound.dmarcdigests.com;
    policy
    quarantine
    subdomainPolicy
    quarantine
    pct
    100
    rua
    mailto:re+1b3a27dd30bc@inbound.dmarcdigests.com
    adkim
    r
    aspf
    r
  • MX

    -5Warning
    • -5

      No MX records found.

      Without MX records, other servers do not know where to deliver mail for notion.so. If the domain only sends mail this can be intentional, but if you expect to receive mail, delivery fails or falls back to your A record.

      How to fix: Add the MX records your email provider lists in its setup guide, pointing to its mail servers.

    Read the MX guide
  • Blacklist

    Pass
    • Not on any checked blocklist.

      Your mail server IPs were not found on the public blocklists we checked. Reputation can change, so it is worth monitoring over time.

    ipsChecked
    208.103.161.2, 208.103.161.1
    blocklists
    bl.spamcop.net, dnsbl.sorbs.net

Optional enhancements

Advanced, nice-to-have features. Setting these up (or not) does not change your grade.

  • DNSSEC

    Optional
    • DNSSEC is not enabled.

      DNSSEC is optional, but it protects against DNS spoofing by letting resolvers confirm your records are authentic. Most domains still do not use it.

      How to fix: If your DNS provider and registrar support it, enable DNSSEC to protect your domain from DNS tampering.

  • MTA-STS

    Optional
    • MTA-STS is not set up.

      MTA-STS is optional but recommended. It tells sending servers to require TLS when delivering mail to you, which blocks downgrade and man-in-the-middle attacks on your inbound mail.

      How to fix: Publish a _mta-sts TXT record and host a policy at https://mta-sts.<yourdomain>/.well-known/mta-sts.txt with mode enforce.

    Read the MTA-STS guide
  • TLS-RPT

    Optional
    • TLS reporting (TLS-RPT) is not set up.

      TLS-RPT is optional. It asks receivers to send you reports when TLS fails while delivering your mail, which is how you catch MTA-STS or certificate problems before they hurt delivery.

      How to fix: Publish a _smtp._tls TXT record with v=TLSRPTv1 and a rua address, for example rua=mailto:tlsrpt@yourdomain.

    Read the TLS-RPT guide
  • BIMI

    Pass
    • BIMI is set up.

      Your BIMI record is valid, DMARC is enforced, and a Verified Mark Certificate is present, so supporting inboxes can show your logo.

    v=BIMI1; l=https://vmc.digicert.com/ae66f82a-dd47-4f08-9fd9-fd865f1d0b30.svg; a=https://vmc.digicert.com/ae66f82a-dd47-4f08-9fd9-fd865f1d0b30.pem
    logo
    https://vmc.digicert.com/ae66f82a-dd47-4f08-9fd9-fd865f1d0b30.svg
    vmc
    https://vmc.digicert.com/ae66f82a-dd47-4f08-9fd9-fd865f1d0b30.pem

Here is how notion.so has set up SPF, DKIM, and DMARC for the mail it sends. For a service that relies on notifications, invoices, and account alerts reaching users, these records are core infrastructure rather than an afterthought.

What this report checks

The grade above is derived directly from what notion.so publishes in DNS, so it reflects the domain exactly as a receiving mail server sees it. SPF lists the servers allowed to send on the domain's behalf. DKIM adds a cryptographic signature that proves a message was not altered in transit. DMARC ties the two together and tells receivers what to do when a message fails both checks. Transport records such as MTA-STS and TLS-RPT add a further layer by protecting the connection itself.

About this report

This report is generated from publicly available DNS records for notion.so and is provided for informational and educational purposes only. SPFWise is not affiliated with, endorsed by, or connected to the owner of notion.so. The records shown are the same ones any mail server can query, and the grade updates automatically as they change.

Want the same breakdown for your own domain? Run a free scan to get an identical grade along with the exact records to fix anything that is weak.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Guides to fix common issues