authex
Domain Security Report

cloudflare.com

B80 / 100
Scan Date
Monday, March 30, 2026
Report ID
42A9E612
“Over 90% of cyber attacks begin with email. Authentication is not optional anymore, it is your first line of defense.”
Hemanth Vishnu Akula
Founder & CEO, Authex
Section 01

Executive Summary

Your domain is well protected. SPF, DKIM, and DMARC are configured and enforcing. unauthorized emails are rejected.

Protocol Dashboard

ProtocolStatusScore
DMARCEnforced
32 / 35
SPFHard Fail (-all)
23 / 25
DKIM5 keys found
20 / 20
MTA-STSNot Configured
0 / 10
TLS-RPTNot Configured
0 / 5
BIMIConfigured with VMC
5 / 5

Top Priority Actions

  1. MTA-STS: Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.
  2. TLS-RPT: Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.
Section 02

Compliance Readiness

Assessment of cloudflare.com against major email security compliance frameworks.

FrameworkReferenceRequirementsStatus
PCI DSS 4.0Req 5.4.1DMARC + SPF + DKIMCompliant
Google / Yahoo Bulk Sender2024 RequirementsDMARC + SPF + DKIMCompliant
NIST SP 800-177Rev. 1SPF + DKIM + DMARCCompliant
CISA BOD 18-01Binding Operational DirectiveDMARC (p=reject)Compliant
Cyber EssentialsUK NCSCDMARC + SPFCompliant
Section 03

DMARC. Domain-based Message Authentication, Reporting & Conformance

EnforcedRFC 7489
32 / 35

DMARC policy is set to reject, providing maximum protection against spoofing.

Configuration Details

Policyreject
Percentage100%
Aggregate Reportingmailto:rua@cloudflare.com,mailto:cloudflare@dmarc.area1reports.com
Forensic Reportingmailto:cloudflare@dmarc.area1reports.com
DKIM Alignmentrelaxed
SPF Alignmentrelaxed

DNS Record

v=DMARC1; p=reject; pct=100; rua=mailto:rua@cloudflare.com,mailto:cloudflare@dmarc.area1reports.com; ruf=mailto:cloudflare@dmarc.area1reports.com
Section 04

SPF. Sender Policy Framework

Hard Fail (-all)RFC 7208
23 / 25

SPF record found with 7 DNS lookups and -all.

Configuration Details

All Mechanism-all (hard fail)
DNS Lookups7/10
Record Length205 bytes

DNS Record

v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all
Section 05

DKIM. DomainKeys Identified Mail

5 keys foundRFC 6376
20 / 20

5 DKIM keys found (k1, s1, m1, mandrill, zendesk1).

Configuration Details

Selectorsk1, s1, m1, mandrill, zendesk1
Key Length2048+ bit
Algorithmrsa-sha256

DNS Record

k1._domainkey: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbNrX2cY/GUKIFx2G/1I00ftdAj713WP9AQ1xir85i89sA2guU0ta4UX1Xzm06XIU6iBP41VwmPwBGRNofhBVR+e6WHUoNyIR4Bn84LVcfZE20rmDeXQblIupNWBqLXM1Q+VieI/eZu/7k9/vOkLSaQQd... s1._domainkey: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1m74n5R+xcz+ICbNBWRIlQeHI65Hjp67+P59XSe71jItafrcJ4/5y/UvU+uNg7KNeOcEsotGo7QvLN87hqZSZqfzVyyGnQuEUXoKPdKokD6Pa5KmJSqbA5Y/f977HpikU9Xtd7Orc7ctRL... m1._domainkey: v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfI4XmZUuFjcKhAIW2f5dqqlYg4/7xSM953hHWXR5U2VPrfram3ZCqXIOxgvgINFxNAm4m0rxaQ2xtwknSWubFcl+yepZ5mwgBqWh/7bO1LNdOqj10lgfspWukRdI34djbEYDkFg/2A7... mandrill._domainkey: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y... zendesk1._domainkey: v=DKIM1;t=s;n=core;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9IqdLrO3Zr2/56MHt8oQVCQorP0Bl2Fz9sM2tFBnJCdB/HogQmuudEg2xAovCN2PYpw44UijIvPuBoT9vxiv6ZCBJTLJXa82r6ke5rE4tbe9NKFIrVIb9S306cJDrnKFM...
Section 06

Transport Security

Transport-layer email security protocols that protect messages in transit between mail servers.

MTA-STS Mail Transfer Agent Strict Transport Security

Not ConfiguredRFC 8461
0 / 10

No MTA-STS record found for cloudflare.com. Inbound SMTP connections are vulnerable to TLS downgrade attacks.

Recommendation: Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.

TLS-RPT TLS Reporting

Not ConfiguredRFC 8460
0 / 5

No TLS-RPT record found for cloudflare.com. TLS delivery failures are invisible.

Recommendation: Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.
Section 07

BIMI. Brand Indicators for Message Identification

Configured with VMCRFC 9495
5 / 5

BIMI is fully configured for cloudflare.com with a brand logo and VMC certificate.

Logo URLhttps://www.cloudflare.com/cloudflare_1171114652.svg
SVG Statusaccessible
VMC Certificatehttps://www.cloudflare.com/cloudflare_1171114652.pem
DMARC Prerequisitemet
v=BIMI1; l=https://www.cloudflare.com/cloudflare_1171114652.svg; a=https://www.cloudflare.com/cloudflare_1171114652.pem
Section 08

Remediation Plan

Prioritized findings and recommended fixes. These can be implemented by your internal IT team, or you can use Authex to monitor, manage, and automate these changes with our AI-powered platform starting at $9/domain per month.

#ProtocolFindingSeverityFix
1MTA-STSNot ConfiguredHighPublish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.
2TLS-RPTNot ConfiguredHighPublish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.
Need help fixing these?

Authex continuously monitors your email authentication, detects misconfigurations, and helps you fix them. Our AI agent handles SPF flattening, DKIM rotation, and DMARC enforcement automatically. DIY plans start at $9/domain. Managed plans include a dedicated security engineer. Visit authex.online to get started with a free scan.

Section 09

Scoring Methodology

Protocol Weights

ProtocolMax PointsWeight
DMARC3535%
SPF2525%
DKIM2020%
MTA-STS1010%
TLS-RPT55%
BIMI55%

Grade Scale

GradeScore Range
A+95 - 100
A85 - 94
B70 - 84
C50 - 69
D30 - 49
F0 - 29
authex
Generated by Authex. authex.online
Mon, 30 Mar 2026 22:53:50 GMT