Good progress. SPF and DKIM are in place. DKIM needs attention to complete your protection.
| Protocol | Status | Score |
|---|---|---|
| DMARC | Enforced | 32 / 35 |
| SPF | Configured | 17 / 25 |
| DKIM | Key Revoked | 10 / 20 |
| MTA-STS | Testing Mode | 7 / 10 |
| TLS-RPT | Configured | 5 / 5 |
| BIMI | Not Found | 0 / 5 |
Assessment of facebook.com against major email security compliance frameworks.
| Framework | Reference | Requirements | Status |
|---|---|---|---|
| PCI DSS 4.0 | Req 5.4.1 | DMARC + SPF + DKIM | Partial |
| Google / Yahoo Bulk Sender | 2024 Requirements | DMARC + SPF + DKIM | Partial |
| NIST SP 800-177 | Rev. 1 | SPF + DKIM + DMARC | Partial |
| CISA BOD 18-01 | Binding Operational Directive | DMARC (p=reject) | Compliant |
| Cyber Essentials | UK NCSC | DMARC + SPF | Compliant |
DMARC policy is set to reject, providing maximum protection against spoofing.
| Policy | reject |
| Percentage | 100% |
| Aggregate Reporting | mailto:a@dmarc.facebookmail.com |
| Forensic Reporting | mailto:fb-dmarc@datafeeds.phishlabs.com |
| DKIM Alignment | relaxed |
| SPF Alignment | relaxed |
SPF record found with 1 DNS lookup and no all mechanism.
| All Mechanism | not specified |
| DNS Lookups | 1/10 |
| Record Length | 33 bytes |
DKIM key at selector "default" is revoked. Messages cannot be verified with this key.
| Selector | default |
| Algorithm | rsa-sha256 |
| Status | REVOKED (empty p= tag) |
Transport-layer email security protocols that protect messages in transit between mail servers.
MTA-STS DNS record exists for facebook.com. Policy mode: testing.
| Policy ID | 20191202T113700 |
| Policy File | accessible |
| Mode | testing |
| Max Age | 86400s (below recommended 7d) |
| MX Match | policy MX matches actual MX |
TLS-RPT is configured for facebook.com. Reports on TLS delivery failures will be sent to mailto:sts-reports@facebookmail.com.
| Report URI | mailto:sts-reports@facebookmail.com |
No BIMI record found for facebook.com. Brand logo will not appear in supporting email clients.
Prioritized findings and recommended fixes. These can be implemented by your internal IT team, or you can use Authex to monitor, manage, and automate these changes with our AI-powered platform starting at $9/domain per month.
| # | Protocol | Finding | Severity | Fix |
|---|---|---|---|---|
| 1 | DKIM | Key Revoked | High | The DKIM key is revoked (empty p= tag). Publish a new key for this selector. |
| 2 | BIMI | Not Found | High | Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100. |
| 3 | MTA-STS | Testing Mode | Medium | Switch MTA-STS policy from testing to enforce once you have verified TLS works for all senders. |
Authex continuously monitors your email authentication, detects misconfigurations, and helps you fix them. Our AI agent handles SPF flattening, DKIM rotation, and DMARC enforcement automatically. DIY plans start at $9/domain. Managed plans include a dedicated security engineer. Visit authex.online to get started with a free scan.
| Protocol | Max Points | Weight |
|---|---|---|
| DMARC | 35 | 35% |
| SPF | 25 | 25% |
| DKIM | 20 | 20% |
| MTA-STS | 10 | 10% |
| TLS-RPT | 5 | 5% |
| BIMI | 5 | 5% |
| Grade | Score Range |
|---|---|
| A+ | 95 - 100 |
| A | 85 - 94 |
| B | 70 - 84 |
| C | 50 - 69 |
| D | 30 - 49 |
| F | 0 - 29 |