BetaSPFWise is in beta, and every feature is free until it ends. More information after you sign up.

Email Authentication Report for wise.com

A live look at how wise.com configures SPF, DKIM, DMARC, and transport security, with the grade explained.

A+

wise.com

95 out of 100

Scanned: Jul 6, 2026, 1:16 PM

Why this score

The score starts at 100. Every issue below subtracts points based on how much it hurts your deliverability or lets someone spoof you.

Starting score
100
SPFEnds with ~all (softfail).
-5
Your score
95
  • SPF

    -5Pass
    • -5

      Ends with ~all (softfail).

      A softfail asks receivers to accept mail from unlisted senders but flag it, so spoofed messages can still reach the inbox.

      How to fix: Move to -all after confirming that all of your senders are included, so unauthorized mail is rejected.

    DNS lookups6 / 10
    v=spf1 include:_u.wise.com._spf.smart.ondmarc.com ~all
    allQualifier
    ~
  • DKIM

    Pass
    • DKIM is set up (7 valid selector(s) found).

      At least one valid signing key was found, so your outgoing mail can be signed and verified by receivers.

    selectors
    google, s1, s2, k1, mandrill, zendesk1, zendesk2
    keyType
    rsa
    keyBits
    2048
  • DMARC

    Pass
    • Policy is p=reject (strongest).

      Reject tells receivers to refuse any mail that fails authentication, the strongest protection against spoofing.

    • Aggregate reporting is enabled.

      A rua address is set, so you receive daily reports showing every source that sends as your domain.

    • DMARC is present and enforced.

      A valid DMARC record was found with an enforcing policy, so receivers act on mail that fails authentication.

    v=DMARC1; p=reject; adkim=r; pct=100; fo=1; ri=3600; rua=mailto:bb3c5ff6@inbox.ondmarc.com; ruf=mailto:bb3c5ff6@inbox.ondmarc.com;
    policy
    reject
    subdomainPolicy
    reject
    pct
    100
    rua
    mailto:bb3c5ff6@inbox.ondmarc.com
    adkim
    r
    aspf
    r
  • MX

    Pass
    • MX is configured (5 mail server(s)).

      Your domain has MX records and every listed mail server resolves to an IP address, so it can receive mail.

    mxHosts
    aspmx.l.google.com (1), alt1.aspmx.l.google.com (5), alt2.aspmx.l.google.com (5), aspmx2.googlemail.com (10), aspmx3.googlemail.com (10)
    mxCount
    5
  • Blacklist

    Pass
    • Not on any checked blocklist.

      Your mail server IPs were not found on the public blocklists we checked. Reputation can change, so it is worth monitoring over time.

    ipsChecked
    142.250.147.27, 192.178.211.27, 192.178.158.26
    blocklists
    bl.spamcop.net, dnsbl.sorbs.net

Optional enhancements

Advanced, nice-to-have features. Setting these up (or not) does not change your grade.

  • DNSSEC

    Optional
    • DNSSEC is not enabled.

      DNSSEC is optional, but it protects against DNS spoofing by letting resolvers confirm your records are authentic. Most domains still do not use it.

      How to fix: If your DNS provider and registrar support it, enable DNSSEC to protect your domain from DNS tampering.

  • MTA-STS

    Pass
    • MTA-STS is enforcing.

      Your MTA-STS policy is in enforce mode, so sending servers refuse to deliver to your domain over an untrusted or unencrypted connection.

    mode
    enforce
    maxAge
    1209600
  • TLS-RPT

    Pass
    • TLS reporting is enabled.

      Your TLS-RPT record is valid, so receivers can report TLS delivery failures to you.

    v=TLSRPTv1; rua=mailto:bb3c5ff6@inbox.ondmarc.com;
    rua
    mailto:bb3c5ff6@inbox.ondmarc.com
  • BIMI

    Pass
    • BIMI is set up.

      Your BIMI record is valid, DMARC is enforced, and a Verified Mark Certificate is present, so supporting inboxes can show your logo.

    v=BIMI1; l=https://vmc.digicert.com/cf07d5cc-9840-4c18-b827-b522a0c60015.svg; a=https://vmc.digicert.com/cf07d5cc-9840-4c18-b827-b522a0c60015.pem;
    logo
    https://vmc.digicert.com/cf07d5cc-9840-4c18-b827-b522a0c60015.svg
    vmc
    https://vmc.digicert.com/cf07d5cc-9840-4c18-b827-b522a0c60015.pem

This report examines the email authentication configuration of wise.com as published in public DNS. Financial brands are a frequent target for spoofing and fraud, so a clear DMARC policy and aligned SPF and DKIM matter more here than almost anywhere.

The checks behind the grade

The score above reflects the public DNS records for wise.com at the time of the scan. SPF declares which servers may send mail for the domain, DKIM signs each message so tampering can be detected, and DMARC combines both with a published policy. Additional transport-security records raise the grade by securing the delivery path between mail servers.

About this report

This report is generated from publicly available DNS records for wise.com and is provided for informational and educational purposes only. SPFWise is not affiliated with, endorsed by, or connected to the owner of wise.com. The records shown are the same ones any mail server can query, and the grade updates automatically as they change.

Want the same breakdown for your own domain? Run a free scan to get an identical grade along with the exact records to fix anything that is weak.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Guides to fix common issues