authex

Domain Security Report

pv-cdn.net

Scan Date

Monday, March 30, 2026

Report ID

EB1E6B63

“Over 90% of cyber attacks begin with email. Authentication is not optional anymore, it is your first line of defense.”

Hemanth Vishnu Akula

Founder & CEO, Authex

Section 01

Executive Summary

Good progress. SPF and DKIM are in place. DKIM needs attention to complete your protection.

Protocol Dashboard

Protocol	Status	Score
DMARC	Enforced	32 / 35
SPF	Hard Fail (-all)	23 / 25
DKIM	Key Revoked	10 / 20
MTA-STS	Not Configured	0 / 10
TLS-RPT	Not Configured	0 / 5
BIMI	Not Found	0 / 5

Top Priority Actions

DKIM: The DKIM key is revoked (empty p= tag). Publish a new key for this selector.
MTA-STS: Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.
TLS-RPT: Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.

Section 02

Compliance Readiness

Assessment of pv-cdn.net against major email security compliance frameworks.

Framework	Reference	Requirements	Status
PCI DSS 4.0	Req 5.4.1	DMARC + SPF + DKIM	Partial
Google / Yahoo Bulk Sender	2024 Requirements	DMARC + SPF + DKIM	Partial
NIST SP 800-177	Rev. 1	SPF + DKIM + DMARC	Partial
CISA BOD 18-01	Binding Operational Directive	DMARC (p=reject)	Compliant
Cyber Essentials	UK NCSC	DMARC + SPF	Compliant

Section 03

DMARC. Domain-based Message Authentication, Reporting & Conformance

EnforcedRFC 7489

32 / 35

DMARC policy is set to reject, providing maximum protection against spoofing.

Configuration Details

Policy	reject
Aggregate Reporting	mailto:report@dmarc.amazon.com
Forensic Reporting	mailto:report@dmarc.amazon.com
DKIM Alignment	relaxed
SPF Alignment	relaxed

DNS Record

v=DMARC1; p=reject; rua=mailto:report@dmarc.amazon.com; ruf=mailto:report@dmarc.amazon.com

Section 04

SPF. Sender Policy Framework

Hard Fail (-all)RFC 7208

23 / 25

SPF record found with 1 DNS lookup and -all.

Configuration Details

All Mechanism	-all (hard fail)
DNS Lookups	1/10
Record Length	11 bytes

DNS Record

v=spf1 -all

Section 05

DKIM. DomainKeys Identified Mail

Key RevokedRFC 6376

10 / 20

DKIM key at selector "google" is revoked. Messages cannot be verified with this key.

Configuration Details

Selectors	google, google2048, selector1, selector2, k1, k2, k3, s1, s2, m1, default, dkim, mail, email, smtp, key1, key2, sig1, postmark, amazonses, mandrill, mxvault, protonmail, zendesk1, fm1, fm2, fm3, cm, turbo-smtp, mailjet
Algorithm	rsa-sha256
Status	REVOKED (empty p= tag)

DNS Record

google._domainkey:
v=DKIM1; p=

google2048._domainkey:
v=DKIM1; p=

selector1._domainkey:
v=DKIM1; p=

selector2._domainkey:
v=DKIM1; p=

k1._domainkey:
v=DKIM1; p=

k2._domainkey:
v=DKIM1; p=

k3._domainkey:
v=DKIM1; p=

s1._domainkey:
v=DKIM1; p=

s2._domainkey:
v=DKIM1; p=

m1._domainkey:
v=DKIM1; p=

default._domainkey:
v=DKIM1; p=

dkim._domainkey:
v=DKIM1; p=

mail._domainkey:
v=DKIM1; p=

email._domainkey:
v=DKIM1; p=

smtp._domainkey:
v=DKIM1; p=

key1._domainkey:
v=DKIM1; p=

key2._domainkey:
v=DKIM1; p=

sig1._domainkey:
v=DKIM1; p=

postmark._domainkey:
v=DKIM1; p=

amazonses._domainkey:
v=DKIM1; p=

mandrill._domainkey:
v=DKIM1; p=

mxvault._domainkey:
v=DKIM1; p=

protonmail._domainkey:
v=DKIM1; p=

zendesk1._domainkey:
v=DKIM1; p=

fm1._domainkey:
v=DKIM1; p=

fm2._domainkey:
v=DKIM1; p=

fm3._domainkey:
v=DKIM1; p=

cm._domainkey:
v=DKIM1; p=

turbo-smtp._domainkey:
v=DKIM1; p=

mailjet._domainkey:
v=DKIM1; p=

Recommendation: The DKIM key is revoked (empty p= tag). Publish a new key for this selector.

Section 06

Transport Security

Transport-layer email security protocols that protect messages in transit between mail servers.

MTA-STS — Mail Transfer Agent Strict Transport Security

Not ConfiguredRFC 8461

0 / 10

No MTA-STS record found for pv-cdn.net. Inbound SMTP connections are vulnerable to TLS downgrade attacks.

Recommendation: Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.

TLS-RPT — TLS Reporting

Not ConfiguredRFC 8460

0 / 5

No TLS-RPT record found for pv-cdn.net. TLS delivery failures are invisible.

Recommendation: Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.

BIMI — Brand Indicators for Message Identification

Not FoundRFC 9495

0 / 5

No BIMI record found for pv-cdn.net. Brand logo will not appear in supporting email clients.

Recommendation: Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.

Section 07

Remediation Plan

Prioritized findings and recommended fixes. These can be implemented by your internal IT team, or you can use Authex to monitor, manage, and automate these changes with our AI-powered platform starting at $9/domain per month.

#	Protocol	Finding	Severity	Fix
1	DKIM	Key Revoked	High	The DKIM key is revoked (empty p= tag). Publish a new key for this selector.
2	MTA-STS	Not Configured	High	Publish an MTA-STS TXT record and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt.
3	TLS-RPT	Not Configured	High	Publish a TLS-RPT record to receive reports when sending servers fail to establish encrypted connections.
4	BIMI	Not Found	High	Publish a BIMI record with your brand SVG logo. Requires DMARC at p=quarantine or p=reject with pct=100.

Need help fixing these?

Authex continuously monitors your email authentication, detects misconfigurations, and helps you fix them. Our AI agent handles SPF flattening, DKIM rotation, and DMARC enforcement automatically. DIY plans start at $9/domain. Managed plans include a dedicated security engineer. Visit authex.online to get started with a free scan.

Section 08

Scoring Methodology

Protocol Weights

Protocol	Max Points	Weight
DMARC	35	35%
SPF	25	25%
DKIM	20	20%
MTA-STS	10	10%
TLS-RPT	5	5%
BIMI	5	5%

Grade Scale

Grade	Score Range
A+	95 - 100
A	85 - 94
B	70 - 84
C	50 - 69
D	30 - 49
F	0 - 29

authex

Generated by Authex. authex.online

Mon, 30 Mar 2026 22:53:51 GMT