How It Works

DNS Authentication & the
Auth Score

Every time a competitor email arrives, Competitor Inbox probes the sender's DNS records in real time — checking SPF, DKIM, DMARC, and BIMI — and computes an Auth Score from 0 to 100 that tells you exactly how well their sending infrastructure is protected.

Check Your Competitors Back to Knowledge Base

The Auth Score

Scores range from 0 to 100. A score above 80 indicates strong authentication. Below 40 signals high deliverability risk.

SPF record present and valid

+25

DKIM signature present and verifies

+25

DMARC policy published

+20

DMARC policy is "reject" or "quarantine"

+15

BIMI record with verified logo present

+15

80–100

Strong

Best-in-class authentication.

40–79

Moderate

Missing one or two key layers.

0–39

At Risk

Significant deliverability vulnerability.

SPF — Sender Policy Framework

SPF lets a domain owner publish a list of authorized sending IP addresses in their DNS. Receiving mail servers check whether the email came from an authorized IP before accepting it. We perform a live TXT lookup on the Return-Path domain and parse the full SPF record including all include: and redirect= mechanisms.

Common SPF Misconfigurations We Detect

No SPF record

Any server can send email claiming to be you. High spam/phishing risk.

+all mechanism

Effectively allows all senders. SPF is meaningless.

PermError (11+ lookups)

SPF evaluation fails and is treated as a neutral result by receivers.

Redirect loops

Can cause infinite DNS lookups; parsing error at receiving MTA.

Missing include:

Legitimate sending service rejected; delivery failures from valid servers.

DKIM — Domain Keys Identified Mail

DKIM adds a cryptographic signature to the email headers. The receiving server fetches the sender's public key from DNS and verifies the signature. We extract the DKIM-Signature header, identify the selector (s=) and signing domain (d=), then look up {selector}._domainkey.{d} in DNS and verify the RSA or ed25519 signature.

Common ESP Signing Domains

Mailchimpk1._domainkey.list-manage.com

Klaviyoklaviyodkim1._domainkey.klaviyo.com

SendGridem._domainkey.sendgrid.net

Amazon SESamazonses.com

Salesforce MC._domainkey.salesforce.

HubSpothubspot1._domainkey.hubspot.com

When a sender signs with their own domain key (not an ESP's domain), it's a strong signal they're using infrastructure they fully control — common for high-volume in-house senders.

DMARC — Domain-based Message Authentication

DMARC builds on SPF and DKIM by requiring alignment — the From: domain must match the domains used in SPF or DKIM checks. We look up the _dmarc.domain TXT record and parse:

p=none

Monitor only

No action taken. Phishing-prone.

p=quarantine

Quarantine

Fails go to spam.

p=reject

Reject

Best. Fails are dropped outright.

We also record rua= (aggregate report URI), pct= (policy enforcement percentage, commonly used during ramp-up), and sp= (subdomain policy). A DMARC record with p=reject; pct=100 and no missing SPF/DKIM scores a perfect 100.

BIMI — Brand Indicators for Message Identification

BIMI is the newest layer of authentication. When properly configured, Gmail, Apple Mail, and Yahoo display the brand's verified logo next to the email in the inbox — increasing open rates by up to 10%. We query default._bimi.domain and store the SVG logo URL. If a competitor has BIMI configured, their logo appears throughout the Competitor Inbox UI.

BIMI Setup Requirements

Publish DMARC policy = reject

BIMI requires a DMARC policy of "quarantine" or "reject" — "none" is not enough.

Create an SVG brand logo

Must be a square Tiny PS SVG with no external references.

Publish the BIMI DNS TXT record

default._bimi.domain → v=BIMI1; l=https://…/logo.svg; a=https://…/vmc.pem

Optionally obtain a VMC certificate

A Verified Mark Certificate from DigiCert or Entrust unlocks Gmail brand badge display.

Why Auth Score Matters for Competitor Analysis

Interpret engagement drops

If a competitor's open rate seems low, check their Auth Score. A score below 40 suggests Gmail and Outlook may be routing their campaigns to spam — making the strategy look bad when the product is fine.

Spot infrastructure changes

A sudden Auth Score drop (from 80 → 40) often precedes or accompanies an ESP switch, domain reputation issue, or deliverability crisis.

Benchmark your own setup

Auth Scores aren't just for competitors. Use industry data to compare your DNS configuration against similar senders in your vertical.

Track BIMI adoption

BIMI adoption is still below 5% across most industries. Knowing which competitors have it live can inform your own brand identity strategy.

Check Your Competitors' Auth Scores

Start monitoring DNS authentication, ESP infrastructure, and email activity across all your competitors.

Start Free Trial Back to Knowledge Base

DNS Authentication & theAuth Score