authex

Domain Security Report

amazonaws.com

Scan Date

Monday, March 30, 2026

Report ID

BB5E630C

“Over 90% of cyber attacks begin with email. Authentication is not optional anymore, it is your first line of defense.”

Hemanth Vishnu Akula

Founder & CEO, Authex

Section 01

Executive Summary

Good progress. SPF and DKIM are in place. DKIM needs attention to complete your protection.

Protocol Dashboard

Protocol	Status	Score
DMARC	Quarantine	27 / 35
SPF	Soft Fail (~all)	21 / 25
DKIM	Not Detected	0 / 20
MTA-STS	Not Configured	0 / 10
TLS-RPT	Not Configured	0 / 5
BIMI	Not Found	0 / 5

Top Priority Actions

DKIM: Ensure your email provider has published DKIM keys. If using a custom selector, DKIM may still be active.
MTA-STS: Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.
TLS-RPT: Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.

Section 02

Compliance Readiness

Assessment of amazonaws.com against major email security compliance frameworks.

Framework	Reference	Requirements	Status
PCI DSS 4.0	Req 5.4.1	DMARC + SPF + DKIM	Partial
Google / Yahoo Bulk Sender	2024 Requirements	DMARC + SPF + DKIM	Partial
NIST SP 800-177	Rev. 1	SPF + DKIM + DMARC	Partial
CISA BOD 18-01	Binding Operational Directive	DMARC (p=reject)	Non-Compliant
Cyber Essentials	UK NCSC	DMARC + SPF	Compliant

Section 03

DMARC. Domain-based Message Authentication, Reporting & Conformance

QuarantineRFC 7489

27 / 35

DMARC policy is set to quarantine. Suspicious emails are filtered but not blocked outright.

Configuration Details

Policy	quarantine
Percentage	100%
Aggregate Reporting	mailto:aws-marketing-email-dmarc-rua-reports@dmarc.amazonaws.com
Forensic Reporting	mailto:aws-marketing-email-dmarc-ruf-reports@dmarc.amazonaws.com
Subdomain Policy	none
DKIM Alignment	relaxed
SPF Alignment	relaxed

DNS Record

v=DMARC1; p=quarantine; sp=none; pct=100; rua=mailto:aws-marketing-email-dmarc-rua-reports@dmarc.amazonaws.com; ruf=mailto:aws-marketing-email-dmarc-ruf-reports@dmarc.amazonaws.com

Recommendation: Consider escalating to p=reject once compliance is consistently above 98%.

Section 04

SPF. Sender Policy Framework

Soft Fail (~all)RFC 7208

21 / 25

SPF record found with 2 DNS lookups and ~all.

Configuration Details

All Mechanism	~all (soft fail)
DNS Lookups	2/10
Record Length	30 bytes

DNS Record

v=spf1 include:amazon.com ~all

Recommendation: Consider tightening to -all for stricter enforcement alongside your DMARC policy.

Section 05

DKIM. DomainKeys Identified Mail

Not DetectedRFC 6376

0 / 20

No DKIM record found for common selectors on amazonaws.com. DKIM may use a custom selector that could not be auto-detected.

Recommendation: Ensure your email provider has published DKIM keys. If using a custom selector, DKIM may still be active.

Section 06

Transport Security

Transport-layer email security protocols that protect messages in transit between mail servers.

MTA-STS — Mail Transfer Agent Strict Transport Security

Not ConfiguredRFC 8461

0 / 10

No MTA-STS record found for amazonaws.com. Inbound SMTP connections are vulnerable to TLS downgrade attacks.

Recommendation: Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.

TLS-RPT — TLS Reporting

Not ConfiguredRFC 8460

0 / 5

No TLS-RPT record found for amazonaws.com. TLS delivery failures are invisible.

Recommendation: Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.

BIMI — Brand Indicators for Message Identification

Not FoundRFC 9495

0 / 5

No BIMI record found for amazonaws.com. Brand logo will not appear in supporting email clients.

Recommendation: Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.

Section 07

Remediation Plan

Prioritized findings and recommended fixes. These can be implemented by your internal IT team, or you can use Authex to monitor, manage, and automate these changes with our AI-powered platform starting at $9/domain per month.

#	Protocol	Finding	Severity	Fix
1	DKIM	Not Detected	High	Ensure your email provider has published DKIM keys. If using a custom selector, DKIM may still be active.
2	MTA-STS	Not Configured	High	Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.
3	TLS-RPT	Not Configured	High	Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.
4	BIMI	Not Found	High	Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.
5	DMARC	Quarantine	Low	Consider escalating to p=reject once compliance is consistently above 98%.
6	SPF	Soft Fail (~all)	Low	Consider tightening to -all for stricter enforcement alongside your DMARC policy.

Need help fixing these?

Authex continuously monitors your email authentication, detects misconfigurations, and helps you fix them. Our AI agent handles SPF flattening, DKIM rotation, and DMARC enforcement automatically. DIY plans start at $9/domain. Managed plans include a dedicated security engineer. Visit authex.online to get started with a free scan.

Section 08

Scoring Methodology

Protocol Weights

Protocol	Max Points	Weight
DMARC	35	35%
SPF	25	25%
DKIM	20	20%
MTA-STS	10	10%
TLS-RPT	5	5%
BIMI	5	5%

Grade Scale

Grade	Score Range
A+	95 - 100
A	85 - 94
B	70 - 84
C	50 - 69
D	30 - 49
F	0 - 29

authex

Generated by Authex. authex.online

Mon, 30 Mar 2026 22:53:51 GMT