A comprehensive audit checklist for UK email authentication — covering every layer from DNSSEC to BIMI. Use this article when verifying a domain's posture, before migrations, for compliance audits, or as part of quarterly security review. Each item includes what to check, how to test, and the expected outcome.
This checklist applies to any UK business email domain sending external mail. Duration for a thorough audit: 2-4 hours for a mid-size UK operation. Can be done quarterly as part of IT security routine.
Tools needed:
dig or equivalent DNS query tool.| Item | Check | Expected |
|---|---|---|
| DNSSEC enabled | dig +dnssec domain | RRSIG records present, AD flag set |
| DS record at registrar | dig DS domain @8.8.8.8 | DS record returned |
| Chain of trust valid | DNSViz online tool | Green chain from root to your zone |
| Algorithm is modern | Check DNSKEY algorithm | Algorithm 13 (ECDSA P-256) or 8 (RSASHA256) |
| KSK and ZSK both present | DNSKEY record inspection | Both flags set (257 and 256) |
| Item | Check | Expected |
|---|---|---|
| Exactly one SPF record | dig TXT domain | grep v=spf1 | Exactly one line |
| Starts with v=spf1 | Record content | First token exactly v=spf1 |
| Terminates with -all or ~all | Record content | Hard or soft fail; not +all |
| Under 10 DNS lookups | MXToolbox SPF check | Lookup count ≤ 10, ideally ≤ 8 |
| No ptr mechanism | Grep for ptr | No matches |
| All legitimate senders covered | DMARC reports show SPF pass for each sender | All known senders passing |
| No stale includes | Per-include audit against sender inventory | Every include is for an active service |
| Item | Check | Expected |
|---|---|---|
| DKIM signing enabled | Send test message; inspect headers | DKIM-Signature header present |
| Signing domain aligns with From | Test message Authentication-Results | dkim=pass with your domain in header.i |
| Selector DNS record published | dig TXT selector._domainkey.domain | Valid v=DKIM1 record |
| Key size 2048+ RSA or Ed25519 | Inspect public key length | RSA-2048+ (never 1024); Ed25519 preferred |
| Signing algorithm rsa-sha256 or ed25519-sha256 | DKIM-Signature a= tag | Modern algorithm |
| Canonicalisation relaxed/relaxed | DKIM-Signature c= tag | relaxed/relaxed |
| All sending services sign with your domain | DMARC reports per source | All show DKIM alignment |
No use of l= body length limit | DKIM-Signature inspection | No l= tag |
| Selector rotated within last 12 months | Selector name or creation date | Quarterly rotation ideal; annual minimum |
| Item | Check | Expected |
|---|---|---|
| DMARC record published | dig TXT _dmarc.domain | Valid v=DMARC1 record |
| Policy at enforcement | p= tag | Ideally p=reject; minimum p=quarantine |
| Subdomain policy set | sp= tag | Explicit, ideally sp=reject |
| Alignment mode documented | adkim= and aspf= | Strict for hardened deployments, relaxed acceptable |
| Aggregate reporting configured | rua= tag | Valid mailto address(es) |
| Aggregate reports being received | Check RUA mailbox | Daily reports from major receivers |
| Reports being processed | Processing service dashboard | Metrics visible and current |
| Pass rate above 99% for legitimate mail | DMARC dashboard | 99%+ pass rate |
| No unexplained failing sources | Per-source investigation | Every source identified and classified |
| Item | Check | Expected |
|---|---|---|
| STARTTLS supported on MX | openssl s_client -connect mx:25 -starttls smtp | TLS handshake succeeds |
| TLS version 1.2 or 1.3 | TLS negotiated version | 1.2 minimum; 1.3 preferred |
| Certificate covers MX hostname | Certificate SAN field | MX hostname in SAN |
| Certificate valid (not expired, chain intact) | openssl verify | Valid chain to trusted root |
| MTA-STS record published | dig TXT _mta-sts.domain | v=STSv1 record |
| MTA-STS policy file accessible | curl https://mta-sts.domain/.well-known/mta-sts.txt | HTTP 200 with valid policy |
| MTA-STS mode is enforce | Policy file | mode: enforce for production |
| DANE TLSA records present | dig TLSA _25._tcp.mx | TLSA record if DNSSEC enabled |
| TLS-RPT configured | dig TXT _smtp._tls.domain | v=TLSRPTv1 record |
| TLS-RPT reports being received | Reports mailbox | Daily reports arriving |
| Item | Check | Expected |
|---|---|---|
| Valid PTR on sending IPs | dig -x sending-IP | PTR to meaningful hostname |
| FCrDNS passes | Forward-resolve PTR result | Original IP in forward result |
| HELO hostname matches PTR | Mail server HELO configuration | Consistent hostname |
| No mail sent from consumer broadband | IP provenance check | Business-class IP only |
| MX records published and current | dig MX domain | Valid MX pointing at active infrastructure |
| No unauthorised open relays | External testing | Server refuses unauthenticated relay |
| No spam-generating compromised accounts | Mail server logs | No anomalous outbound patterns |
| Item | Check | Expected |
|---|---|---|
| DMARC aggregate processor configured | Mail Hardener, dmarcian, or similar | Dashboards populated |
| TLS-RPT processor configured | Same or complementary service | TLS metrics visible |
| Google Postmaster Tools enrolled | postmaster.google.com | Domain verified, data showing |
| Microsoft SNDS enrolled | SNDS portal | IP reputation data visible |
| Microsoft JMRP enrolled | Sender Support | Complaints being received |
| Yahoo CFL enrolled (if applicable) | Yahoo Sender Hub | Reports arriving |
| Blocklist monitoring active | MXToolbox monitor or similar | Alerts configured |
| Bounce processing automated | Platform or custom | Suppression list maintained |
| Complaint rate under 0.3% | Postmaster Tools, SNDS | Well under threshold |
| Item | Check | Expected |
|---|---|---|
| Google/Yahoo 2024 requirements met | Individual items above | All compliant |
| Microsoft 2025 requirements met | Individual items above | All compliant |
| RFC 8058 one-click unsubscribe | Outbound message headers | List-Unsubscribe + List-Unsubscribe-Post headers |
| Unsubscribe processed within 2 business days | Backend process SLA | Documented and followed |
| NCSC Mail Check compliance (UK public sector) | Mail Check portal | All checks green |
| Non-sending domains locked down | Per non-sending domain checklist | Null SPF, null DKIM, p=reject DMARC |
| BIMI deployed (if applicable) | dig TXT default._bimi.domain | v=BIMI1 record with VMC if required |
Aggregate the audit outcome:
The epost.plus reference configuration would score 100% — every item green. Aim for that level on business-critical domains.
Initial audit showed 68% green. Gaps: DMARC at p=none, no MTA-STS, missing PTR on dedicated sending IP, no Postmaster Tools enrolment. Remediation plan: 8 weeks. Quick wins in week 1 (enrolment, PTR), DMARC progression over weeks 2-8, MTA-STS deployment week 6. Post-remediation: 95% green.
Initial audit: 85% green. Remaining gaps: DMARC pct=50 not ramped to 100, no BIMI deployment, one marketing platform signing with wrong domain. Remediation: 4 weeks. Primary lift: fixing the marketing platform's DKIM delegation.
Initial NCSC Mail Check: multiple gaps per NCSC baseline. Targeted remediation aligned with Mail Check priorities. Full baseline compliance within 3 months including DMARC p=reject, MTA-STS enforce, DNSSEC, DANE.
Q: How often should I run this audit?
A: Quarterly for active business domains. Additionally after any infrastructure change, migration, or incident.
Q: Is there a simpler audit for small UK SMEs?
A: For low-volume senders, focus on: SPF exists, DKIM signing, DMARC published, PTR valid. These alone solve most deliverability issues. Full audit matters when volume grows.
Q: Who should conduct the audit?
A: IT team or external specialist. Specialist adds independence; internal team knows context. Combination (internal audit reviewed by external annually) is common for larger UK businesses.
Q: Does the audit catch GDPR compliance issues?
A: Indirectly. The audit focuses on technical email security. GDPR compliance for email involves broader considerations (consent, list management, retention). Complementary audits needed.
Q: Can audit findings be automated?
A: Mostly. Commercial services (Hardenize, Red Sift, Mail Hardener) automate DNS-level and authentication checks. Judgement items (root cause analysis, sender inventory completeness) remain human.
Q: How long does remediation typically take for a domain failing most items?
A: 3-6 months for full remediation. Quick wins (SPF, basic DKIM) in weeks. Full DMARC rollout, reporting integration, monitoring infrastructure 3-6 months.
Q: Should I document audit results formally?
A: Yes — especially for regulated UK sectors. Document results, remediation plan, progress against it. Auditable trail.
Q: Does this audit replace penetration testing or security assessments?
A: No — complementary. Email security is one domain. Penetration testing covers broader attack surface. Security assessments may or may not include email; ensure email is in scope if relying on them.
Q: What is the most common finding in UK SME audits?
A: Missing or weak DMARC. SPF and DKIM usually present. DMARC often missing or at permanent p=none.
Q: What is the most common finding in UK enterprise audits?
A: Misaligned third-party senders. Dozens of SaaS platforms sending as the domain; many not properly DKIM-delegated. Results in DMARC failures and reputation issues.
Q: Can the audit be done via API/automation rather than manual?
A: Mostly yes. DNS-level checks entirely automatable. Commercial services run daily automated audits. Human review remains valuable for context interpretation.
Q: What audit findings are most critical to address immediately?
A: Top 3: (1) DMARC at p=none or missing — spoofing undefended. (2) Missing PTR on sending IPs — deliverability damage. (3) Open relay or compromised account — security incident.
Q: Is there a standard UK audit report template?
A: NCSC provides Mail Check reports for public sector. Commercial tools offer their own formats. DMA UK publishes templates. No single standard but many reasonable options.
Q: Should I include BIMI in my audit for non-marketing UK domains?
A: Optional. BIMI adds visual trust but requires VMC investment. For non-marketing domains, lower priority. For consumer-facing brand domains, worth the effort.
Q: How do I know if NCSC Mail Check is applicable to me?
A: Primarily for .gov.uk and accredited UK public sector domains. Private sector cannot use Mail Check directly but can use equivalent commercial tools.
Q: What is the relationship between this audit and ISO 27001 certification?
A: ISO 27001 covers broader information security. The email audit is a component — specifically Annex A controls around communications security. Useful evidence for ISO compliance.
Q: Are UK regulators starting to require this kind of audit formally?
A: Not specifically. NCSC and ICO guidance implies it for appropriate technical measures. PCI DSS and sector-specific frameworks may reference email authentication. Trend toward more explicit requirements.
Q: What audit tools are UK-accessible with free tiers?
A: NCSC Mail Check (public sector only), MXToolbox, Hardenize, DNSViz. All provide meaningful free visibility. Paid tiers add depth.
Q: Can audit findings inform procurement decisions?
A: Yes — auditing potential suppliers' email posture can indicate their security maturity. Some UK procurement frameworks explicitly consider this.
Q: How does audit relate to post-breach forensics?
A: Pre-breach audit establishes baseline. Post-breach forensics trace what authentication was bypassed. Strong pre-breach audit simplifies post-breach investigation.
Q: Should the audit include checking outbound TLS from my servers to others?
A: Yes — outbound TLS health matters alongside inbound. Mail server logs and TLS-RPT on your side reveal outbound TLS behaviour.
Q: Does audit work for UK organisations with many acquired domains?
A: Yes. Each acquired domain audited separately. Non-sending acquired domains need lockdown audit; sending domains need full audit. Audit backlog common after acquisitions.
Q: Can the audit reveal marketing campaign issues?
A: Indirectly. Complaint rates, bounce patterns, reputation trends reveal campaign-level issues. Audit is technical; campaign-level issues flow through the technical indicators.
Q: What is the single highest-value single audit item for deliverability?
A: DMARC aggregate report analysis. Reveals every sending source, their authentication status, and whether they align. Single richest source of actionable email security information.
Q: Do UK sector-specific regulators (FCA, ICO, Ofcom) accept audits run against this checklist?
A: As part of broader security assurance yes. Regulators do not mandate a specific checklist but accept evidence demonstrating technical email security controls. This checklist produces that evidence.
Q: How does the audit scale for multi-domain UK businesses?
A: Each domain audited separately. Tooling helps: commercial services audit portfolios. Multi-domain audit time scales roughly linearly with domain count.
Q: Should marketing teams see audit findings?
A: Relevant findings yes. Complaint rates, list hygiene, unsubscribe processing all affect marketing. Findings about authentication internals can be summarised rather than full detail.
Q: Are there audit items specific to UK public sector?
A: NCSC Mail Check adds specific requirements (DMARC p=reject, DNSSEC, specific TLS). Public sector checklist is this one plus Mail Check-specific items.
Q: Does audit need to include incident history review?
A: Yes for comprehensive audit. Recent incidents inform priorities — recurring issues may indicate systemic gaps. Include 12-month history in audit scope.
Q: How do I benchmark my audit result against UK peers?
A: Commercial services sometimes publish anonymised industry benchmarks. DMA UK publishes sector deliverability reports. Use as context; absolute metrics (99% authentication pass) matter more than peer comparison.
Q: Does UK cyber insurance require this audit?
A: Increasingly yes. Cyber insurance policies may specify email security controls; audit provides evidence. Check specific policy terms.
Q: What is the minimum viable audit for a UK sole trader?
A: Five items: SPF published, DKIM signing, DMARC p=none, PTR on sending IP, TLS in transit. These cover 80% of deliverability risk.
Q: Can the audit be repurposed for M&A due diligence?
A: Yes. Acquiring UK business can run audit against target's email posture. Significant deficiencies affect integration cost. Technical due diligence component.
Q: What is the typical cost of a professional audit for a UK mid-market business?
A: £2,000-£10,000 depending on scope and number of domains. External consultants charge day-rate for review; platforms include automated audit in subscription. DIY audit is free but requires expertise.
Q: Are there UK-specific audit certifications?
A: No specific email-security certification. Broader ISO 27001 and Cyber Essentials include email-related controls. Deliverability-focused certifications exist (M3AAWG senders) but are limited.
Q: How does audit relate to incident response planning?
A: Strong audit posture simplifies incident response. Known authentication state means investigators can quickly identify compromise or bypass. Weak posture means longer forensic timeline during incidents.
Q: What audit finding indicates urgent security risk?
A: Any of: DMARC at p=none with known phishing against the domain; missing DKIM allowing content injection; open relay; compromised account generating outbound spam. These need same-day response.
Q: Should the audit include user-facing practices?
A: Optional — the technical audit focuses on infrastructure. Separate audit for user practices (phishing awareness, password hygiene, unsubscribe behaviour) may complement.
Q: Is there a UK regulator-endorsed audit methodology?
A: NCSC Mail Check for public sector is the closest. Private sector follows commercial frameworks, adapted from international standards (M3AAWG, IETF RFCs). No single UK-endorsed methodology.
Q: How long does the first comprehensive audit take for a typical UK business?
A: 4-8 hours for a single-domain UK business with moderate complexity. Portfolio audits scale accordingly. Automated tools reduce time significantly; human review remains valuable.
Q: Can audit findings be shared with customers to demonstrate security posture?
A: Summary findings yes — detailed technical gaps less advisable publicly. Customers in regulated sectors may request audit evidence as part of vendor due diligence.
Q: How does audit interact with PCI DSS self-assessment questionnaires?
A: PCI DSS SAQs include questions about encryption and authentication of transmitted cardholder data. Email audit provides evidence for relevant questions. Self-assessment still requires formal completion; audit supports.
Q: What audit items indicate "production-ready"?
A: All items in the infrastructure hygiene, transport security, and basic authentication sections green. DMARC at p=reject. Reporting in place. This is the production-ready baseline.
Q: Is there continuing education for UK professionals doing email audits?
A: M3AAWG offers training. DMA UK has email marketing certifications. NCSC publishes technical guidance. No single UK qualification; practitioners typically combine resources.
Q: Should the audit include evaluation of third-party email vendors?
A: Yes — third-party senders using your domain are your responsibility for authentication alignment. Audit includes verifying each third party's DKIM delegation status.
Q: How does the audit accommodate evolving rules?
A: Checklist updated annually at minimum. New Google/Yahoo/Microsoft rules, new NCSC guidance incorporated. Treating checklist as living document rather than static artefact.