← Back to Platform
Platform · Capability 02

Your email is the front door
attackers spoof first.

Averrow grades your SPF, DKIM, DMARC, and MX configuration on an A+ through F scale — then tells you exactly which gap an attacker would exploit first, and folds the result straight into your composite Brand Exposure Score.

Sample Check — illustrative

An unprotected inbox is an open impersonation channel

Every brand-impersonation program eventually runs through email. Attackers don’t need to breach anything to send a message that looks like it came from your domain — they just need your SPF, DKIM, and DMARC configuration to have a gap. Most companies have never checked whether one exists.

Brand-protection platforms typically watch the outside world for impersonation — lookalike domains, fake social profiles, phishing pages. Far fewer check whether the brand itself has left its own front door unlocked. Averrow does both: external detection feeds by Sentinel, plus a standing grade on your own email authentication posture.

Four checks, one composite grade

SPF Record Validation

Confirms a Sender Policy Framework record exists, resolves cleanly, and doesn’t exceed the DNS lookup limits that silently break enforcement.

DKIM Multi-Selector Verification

Checks 12+ enterprise DKIM selectors spanning the major mailbox and gateway providers — not just the single default selector most tools stop at — so a secondary provider gap doesn’t hide behind a passing primary one.

DMARC Policy Assessment

Reads the DMARC record and evaluates the actual enforcement policy — none, quarantine, or reject — because a monitor-only DMARC record provides visibility, not protection.

MX Provider Detection

Identifies the mail provider behind the domain (Google Workspace, Microsoft 365, and other major providers) and scores against that provider’s own conventions instead of a one-size-fits-all rule.

The A+ through F scale

Every check rolls into a single letter grade so the posture is readable at a glance — and so the underlying gap is never more than one click away.

A+
Fully hardened
SPF, DKIM, and DMARC all present and aligned, DMARC policy at enforcement (p=reject), and a recognized MX provider. Spoofing your domain requires compromising the provider itself.
A
Strong, minor gaps
Core authentication is in place with only cosmetic gaps — for example DMARC at p=quarantine instead of p=reject, or a reporting address not yet configured.
B
Workable, needs attention
SPF and DKIM validate, but DMARC policy is set to p=none (monitor-only) — spoofed mail is being observed, not blocked.
C
One mechanism missing
One of SPF, DKIM, or DMARC is absent or fails validation entirely, leaving a specific, exploitable authentication gap.
D
Multiple gaps
Two or more mechanisms are missing, misconfigured, or unenforced. The domain can be spoofed with minimal attacker effort.
F
No effective protection
No enforced SPF, DKIM, or DMARC. Anyone can send email that appears to come from this domain, with no authentication check to stop it.

The grade knows who’s behind your inbox

A generic checker penalizes a domain for not matching a rule that never applied to its provider in the first place. Averrow’s engine recognizes the mail provider first, then grades against that provider’s own authentication conventions.

Google Workspace

Detected via MX and DKIM selector pattern; scoring accounts for Google's default alignment behavior so a compliant Workspace domain isn't penalized for provider defaults.

Microsoft 365

Detected via MX and Microsoft-pattern DKIM selectors; scoring reflects Microsoft's own SPF/DKIM conventions rather than treating them as generic anomalies.

Proofpoint

Recognized as a secure email gateway layered in front of the primary provider — scored as an added control, not confused with the underlying mailbox provider.

Mimecast

Same gateway-aware treatment as Proofpoint — the engine distinguishes “no protection” from “protection sitting in front of a compliant mailbox provider.”

One grade, folded into the whole picture

The email grade doesn’t live in isolation. It’s one input the agent mesh reasons over alongside active threats, lookalike domains, and social impersonation to produce a single composite Brand Exposure Score — and a natural-language explanation of why the number is what it is.

Illustrative example
A domain with an F email grade and active phishing already registered against it doesn’t read as two separate medium-severity findings — it reads as one CRITICAL exposure. The unprotected inbox is the exact mechanism a phishing operator needs to make a spoofed message land convincingly. This example is illustrative, not a live customer finding.

Most brand-protection platforms watch for impersonation from the outside but provide little to no insight into your own email authentication posture — the gap that makes impersonation land in the first place.

Find out what your email grade actually is.

Run a free exposure scan in under five minutes — no signup, no credit card.