Alan Berger logo

alanberger.me.uk

HOME ABOUT MUSIC EMAIL CONTACT APPS B2
DNS Email Security Report
alanberger.me.uk
Generated 2026-06-19 09:15:01 UTC
Overall posture: 1 warning(s) — no critical issues 8 pass  /  1 warn  /  0 fail
Pass — correctly configured
Warning — present but suboptimal
Fail — missing or critically misconfigured
MX Records ✓ PASS

MX records are present. This domain can receive email.

  • 0 batfinkmail.alanberger.me.uk.
SPF Record ✓ PASS

SPF record is valid with 0 DNS lookup(s) (limit is 10, RFC 7208). Authorised senders are correctly defined.

  • v=spf1 ip4:46.224.51.153 ip6:2a01:4f8:1c18:2c1a::1 -all
  • DNS Lookups: 0/10
DKIM Record (selectors: batfinkmail, karatemail) ✓ PASS

DKIM signing key found. Outbound mail can be cryptographically signed, allowing receivers to verify it was not tampered with in transit.

  • batfinkmail: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Sv6v1ke2rk8L6VP1O26ajbTNxV2vbgSh6ZFkAyzvkaHR0BSOsBtiiv+VY/SQDCKBHXE4NiZIyw8zglm7aGPvbI4lgdQitAzqYZ5ZM+An/k/qjcu/8YaKo26aFwzZ1MFILzv2qUcyuM6kIINcEQsLQ5jaQ0I/0ZszXDK8QVFq0tiYmlPVT46/PODmhgBlQK2t" "DOwoMxN4UumbdMmZx9G1JHHy5XF7SVQJpXZ8xXtOm0Bg4qe+UuNvVb0creHYFP1YGRRdlA2DjY5VRE+iE3Y29FDwdZimoh60W+Yk0aaEaEfmfH6iuouaQmGbaFWpoX9egdvO2ftjbyzkQq3Jh/MzwIDAQAB
  • karatemail: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0WSUun9X5tnxMI88QWbIrl8B1wPD6kh0dmXcx906UjjXjod3+5X8YN+w3UnKNibMPmuWwRhhJFb+GTNcLhrf+YTYLo/V2lWyFILN1EJIw4B+rYZ4OLnu5j/A9jUZ5OEwruqwf/EwT8K7g8GrcMPSHWGme07aIQlMJZnGJbu55Erf9gV0O3/mg5HxOUEGFJ9Ou" "Q6wCf8WsKT+HpSxsyrep8V9tvYrDU6xSpMAfjB3cPuW9f9LhtMcfe3cPZ+yzE8TXUIr6WDZ+Htrvb7EvMI3dnPG7JlTIXlrFD0AnpcyHmfWV32U//vDrI+r6DRJhmdjJZFbf+Dbm1tkjS+KVV4pvwIDAQAB
DMARC Record ✓ PASS

Strong DMARC enforcement (p=reject) with strict SPF and DKIM alignment. Spoofed or unauthenticated mail is rejected outright. This is the most secure posture.

  • v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;pct=100;fo=1;rf=afrf;ri=86400;rua=mailto:svxncyul@ag.eu.dmarcian.com,mailto:fdb3ffde704144e784647ca7f0ac1bb5@dmarc-reports.cloudflare.net,mailto:dma@alanberger.me.uk;ruf=mailto:svxncyul@fr.eu.dmarcian.com,mailto:" "dma@alanberger.me.uk
  • Policy=REJECT, ASPF=S, ADKIM=S
MTA-STS Record ✓ PASS

MTA-STS policy is active in enforce mode with correct MX alignment. Sending mail servers must use valid TLS when delivering to this domain.

  • v=STSv1; id=202602160902
  • Mode: enforce — sending MTAs must establish valid TLS or the message is rejected
  • max_age: 15768000s — receiving MTAs will cache this policy for 182 day(s)
  • MX pattern 'batfinkmail.alanberger.me.uk': matches DNS MX record ✓
DNSSEC ✓ PASS

DNSSEC is enabled and DNSKEY records are published. DNS responses can be cryptographically verified.

  • Found 2 DNSKEY record(s)
  • 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWz JaOau8XNEZeqCYKD5ar0IRd8KqXXFJkq mVfRvMGPmM1x8fGAa2XhSA==
  • 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0d xCjjnopKl+GqJxpVXckHAeF+KkxLbxIL fDLUT0rAK9iUzy1L53eKGQ==
  • DNSSEC validation: basic structure OK
DANE Record ✓ PASS

DANE is correctly configured. The mail server certificate is pinned in DNS and validates against the live certificate.

  • Mail server: batfinkmail.alanberger.me.uk
  • 3 1 1 744db41a248cad4d932b5b004877280f9b49a132207e80069e121f7a9c949308
  • TLSA format: usage=DANE-EE, selector=Public Key, type=SHA-256
  • Certificate public key fetched from batfinkmail.alanberger.me.uk:25
  • DNS TLSA hash: 744db41a248cad4d932b5b004877280f9b49a132207e80069e121f7a9c949308
  • Cert hash: 744db41a248cad4d932b5b004877280f9b49a132207e80069e121f7a9c949308
  • ✓ Certificate hash matches TLSA record
CAA Record ✓ PASS

CAA is correctly configured. Certificate issuance is restricted to authorized CA(s) and wildcard issuance is controlled.

  • 0 iodef "mailto:security@alanberger.me.uk
  • 0 issue "letsencrypt.org
  • ✓ Authorized CA(s) found: letsencrypt.org
  • ✓ Violation reporting configured: mailto:security@alanberger.me.uk
BIMI Record ⚠ WARNING

BIMI is partially configured. Without a VMC or CMC the logo will only display in providers that support self-asserted BIMI (Yahoo, Fastmail). Gmail and Apple Mail require a VMC.

  • v=BIMI1; l=https://alanberger.me.uk/bimi/bimilogo.svg; avp=brand;
  • No VMC (a=) in BIMI record — logo will not display in Gmail or Apple Mail. Yahoo and Fastmail support self-asserted BIMI without a VMC.
  • Logo SVG accessible at https://alanberger.me.uk/bimi/bimilogo.svg
  • SVG passes all required BIMI Tiny P/S checks
HOW TO FIX
  • A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) is required by Gmail and Apple Mail. VMCs or CMCs are issued by DigiCert and in the case of a VMC, require your logo to be a registered trademark.They cost an extortionate amount of money per year.
  • Without a VMC or CMC, BIMI should still function on Yahoo Mail and Fastmail — However this may depend on building trust or they may have changed policy altogether, useful for testing and for reaching users on those platforms.
  • To add a VMC or CMC later: obtain one from DigiCert, host the .pem file over HTTPS, and add a=<url> to your BIMI DNS record.
Generated by check_dns — MX · SPF · DKIM · DMARC · MTA-STS · DNSSEC · DANE · CAA · BIMI