Why does /audit return in ~3 seconds?

We read DNS and key email header fields only, use parallel resolvers with 2s timeouts, and return structured results with suggestions.

What is Proof‑of‑Scan?

We hash canonical JSON (sha256) and provide a Verify endpoint to recompute via multiple public DNS resolvers and compare hashes.

Do you store email bodies?

No. We never store bodies. We parse headers only, delete .eml right after parsing, and keep PDF/JSON for evidence.

Email Compliance 2025 — The Practical Guide

Everything you need to keep SPF/DKIM/DMARC, alignment and one‑click unsubscribe healthy — and a way to prove it with scanId + sha256 + a public Verify flow. This hub prioritizes actionable steps and verifiable outcomes over theory.

Run a check (3s)

Type a domain and get a score + five badges (SPF, DKIM, DMARC, Alignment, One-Click), plus the top three fixes.

Key definitions you can point stakeholders to

SPF 10 lookup limit

Receivers may stop SPF evaluation after 10 DNS lookups (RFC 7208 §4.6.4). When a chain exceeds the cap, alignment fails intermittently and your DMARC policy cannot enforce.

See RFC 7208 andGoogle Workspace guidance.

Run audit/Verify

One-Click unsubscribe

RFC 8058 defines a single-step HTTPS endpoint triggered by list-unsubscribe headers. Gmail and Yahoo require it for bulk senders to control complaint rates and enable fast revocation.

Read the RFC 8058 spec andGmail’s implementation notes.

Run audit/Verify

Alignment: relaxed vs strict

DMARC passes when the Header-From domain aligns with either SPF or DKIM. Relaxed alignment allows subdomain variance; strict requires an exact match and is preferred for static sending lanes.

Cross-check Google’s alignment FAQ andYahoo Postmaster guidance.

Run audit/Verify

Why it matters (2 minutes)

Authentication: without SPF/DKIM, receivers downgrade or reject.
Alignment: DMARC requires Header‑From aligns with SPF or DKIM domains.
One‑Click: lowers complaints and meets bulk‑sender rules.
Verifiability: evidence anyone can recompute—no black box claims.

What “good” looks like

SPF: single record; ≤10 lookups; no loops; includes match your ESPs.
DKIM: 2048‑bit RSA; two selectors; zero‑downtime rotation SOP.
DMARC: staged none→quarantine→reject; child policy sp= if needed.
Alignment: relaxed at minimum; adopt strict on stable routes.
One‑Click: headers present; endpoint safe (idempotent POST; https).

Proof‑of‑Scan (reproducible evidence)

SenderGuard normalizes JSON (sorted keys, LF, UTC) and hashes with sha256. The proof tail page lists rulepackVersion, resolver set (1.1.1.1/8.8.8.8/9.9.9.9), timeouts, and inputs. Anyone can call /api/verify to recompute and compare hashes.

Operational tactics

Guardrails: FAIL↔PASS flips; score Δ≥20; SPF lookups ≥8; One‑Click missing.
De‑dup: one scan per domain / 15 min; bulk at 02:00 UTC; anomaly rescan.
Evidence retention: JSON 90d; PDF 30d; proof long‑term (or 1y).

Topics

CTA: Download sample PDF · Verify a scan · Start daily monitoring

Email Compliance 2025 — The Practical Guide

Run a check (3s)

Key definitions you can point stakeholders to

SPF 10 lookup limit

One-Click unsubscribe

Alignment: relaxed vs strict

Why it matters (2 minutes)

What “good” looks like

Proof‑of‑Scan (reproducible evidence)

Operational tactics

Topics

Next steps