authex

Domain Security Report

microsoft.com

Scan Date

Monday, March 30, 2026

Report ID

D41C4C3B

“Over 90% of cyber attacks begin with email. Authentication is not optional anymore, it is your first line of defense.”

Hemanth Vishnu Akula

Founder & CEO, Authex

Section 01

Executive Summary

Your domain is well protected. SPF, DKIM, and DMARC are configured and enforcing. unauthorized emails are rejected.

Protocol Dashboard

Protocol	Status	Score
DMARC	Enforced	32 / 35
SPF	Hard Fail (-all)	23 / 25
DKIM	2 keys found	17 / 20
MTA-STS	Enforced	10 / 10
TLS-RPT	Configured	5 / 5
BIMI	Not Found	0 / 5

Top Priority Actions

BIMI: Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.
DKIM: Upgrade DKIM key to 2048-bit for stronger cryptographic security.

Section 02

Compliance Readiness

Assessment of microsoft.com against major email security compliance frameworks.

Framework	Reference	Requirements	Status
PCI DSS 4.0	Req 5.4.1	DMARC + SPF + DKIM	Compliant
Google / Yahoo Bulk Sender	2024 Requirements	DMARC + SPF + DKIM	Compliant
NIST SP 800-177	Rev. 1	SPF + DKIM + DMARC	Compliant
CISA BOD 18-01	Binding Operational Directive	DMARC (p=reject)	Compliant
Cyber Essentials	UK NCSC	DMARC + SPF	Compliant

Section 03

DMARC. Domain-based Message Authentication, Reporting & Conformance

EnforcedRFC 7489

32 / 35

DMARC policy is set to reject, providing maximum protection against spoofing.

Configuration Details

Policy	reject
Percentage	100%
Aggregate Reporting	mailto:itex-rua@microsoft.com
Forensic Reporting	mailto:itex-ruf@microsoft.com
DKIM Alignment	relaxed
SPF Alignment	relaxed

DNS Record

v=DMARC1; p=reject; pct=100; rua=mailto:itex-rua@microsoft.com; ruf=mailto:itex-ruf@microsoft.com; fo=1

Section 04

SPF. Sender Policy Framework

Hard Fail (-all)RFC 7208

23 / 25

SPF record found with 6 DNS lookups and -all.

Configuration Details

All Mechanism	-all (hard fail)
DNS Lookups	6/10
Record Length	158 bytes

DNS Record

v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.msft.net include:_spf1-meo.microsoft.com -all

Section 05

DKIM. DomainKeys Identified Mail

2 keys foundRFC 6376

17 / 20

2 DKIM keys found (selector2, m1).

Configuration Details

Selectors	selector2, m1
Key Length	~1024 bit
Algorithm	rsa-sha256

DNS Record

selector2._domainkey:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPkb8bu8RGWeJGk3hJrouZXIdZ+HTp/azRp8IUOHp5wKvPUAi/54PwuLscUjRk4Rh3hjIkMpKRfJJXPxWbrT7eMLric7f/S0h+qF4aqIiQqHFCDAYfMnN6V3Wbke2U5EGm0H/cAUYkaf2Atu...

m1._domainkey:
v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDlTwvKeX9QjSGmGjOV8K4Gfq7f/1jM36C0DiPUPxvrYFyi3mQ9AWZldW0C4H4c3rE8/Z0epwL91JNGK0OgjH2OI+cHM1nMeKpkbod9glOHLlyphmONQHBPNtR/Cm8t1sSSDbSJoKybjQ1HmGk...

Recommendation: Upgrade DKIM key to 2048-bit for stronger cryptographic security.

Section 06

Transport Security

Transport-layer email security protocols that protect messages in transit between mail servers.

MTA-STS — Mail Transfer Agent Strict Transport Security

EnforcedRFC 8461

10 / 10

MTA-STS is enforced for microsoft.com. Sending servers must use TLS when delivering email.

Policy ID	20190225000000Z
Policy File	accessible
Mode	enforce
Max Age	604800s (7d)
MX Match	policy MX matches actual MX

v=STSv1; id=20190225000000Z;

TLS-RPT — TLS Reporting

ConfiguredRFC 8460

5 / 5

TLS-RPT is configured for microsoft.com. Reports on TLS delivery failures will be sent to https://tlsrpt.azurewebsites.net/report.

Report URI

https://tlsrpt.azurewebsites.net/report

v=TLSRPTv1;rua=https://tlsrpt.azurewebsites.net/report

BIMI — Brand Indicators for Message Identification

Not FoundRFC 9495

0 / 5

No BIMI record found for microsoft.com. Brand logo will not appear in supporting email clients.

Recommendation: Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.

Section 07

Remediation Plan

Prioritized findings and recommended fixes. These can be implemented by your internal IT team, or you can use Authex to monitor, manage, and automate these changes with our AI-powered platform starting at $9/domain per month.

#	Protocol	Finding	Severity	Fix
1	BIMI	Not Found	High	Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.
2	DKIM	2 keys found	Low	Upgrade DKIM key to 2048-bit for stronger cryptographic security.

Need help fixing these?

Authex continuously monitors your email authentication, detects misconfigurations, and helps you fix them. Our AI agent handles SPF flattening, DKIM rotation, and DMARC enforcement automatically. DIY plans start at $9/domain. Managed plans include a dedicated security engineer. Visit authex.online to get started with a free scan.

Section 08

Scoring Methodology

Protocol Weights

Protocol	Max Points	Weight
DMARC	35	35%
SPF	25	25%
DKIM	20	20%
MTA-STS	10	10%
TLS-RPT	5	5%
BIMI	5	5%

Grade Scale

Grade	Score Range
A+	95 - 100
A	85 - 94
B	70 - 84
C	50 - 69
D	30 - 49
F	0 - 29

authex

Generated by Authex. authex.online

Mon, 30 Mar 2026 22:53:49 GMT