Tag Archives: spf

SPF, DMARC, and rDNS Checks Are Now Built Into Blacklist Monitoring

Leave a reply
Generator Labs email deliverability checks tab showing all 13 available checks

Getting listed on an RBL is one way mail stops delivering. There’s a longer list of DNS misconfigurations that cause mail to land in spam or get silently rejected, and most monitoring tools don’t catch them. Generator Labs has added 13 email deliverability checks directly into blacklist monitoring profiles, running alongside your RBL checks and feeding into the same alert pipeline.

What Gets Checked

IP-based checks (for IPv4 and IPv6 hosts):

  • Reverse DNS (rDNS): the IP has a PTR record
  • Forward-Confirmed rDNS (FCrDNS): the PTR resolves forward back to the original IP
  • Generic PTR Pattern: the PTR doesn’t look like a dynamic or consumer hostname
  • PTR Format: the PTR has at least two labels and a valid alpha TLD

Domain-based checks (for URIBL and URI hosts):

  • MX Health: MX records exist and at least one target resolves
  • SPF Record: domain publishes a valid SPF record
  • SPF Strict: SPF uses an enforcing policy (-all or ~all)
  • SPF Lookup Limit: SPF stays within RFC 7208’s 10-lookup cap
  • DMARC Record: domain publishes a valid DMARC record
  • DMARC Strict: DMARC uses an enforcing policy (p=quarantine or p=reject)
  • TLS-RPT Record: domain publishes a TLS Reporting record
  • MTA-STS Policy: domain publishes a valid MTA-STS policy
  • BIMI Record: domain publishes a valid BIMI record

How to Enable

All 13 checks are opt-in. Go to RBL Monitoring > Monitoring Profiles > Data Sources, click the Email Deliverability tab, and enable the ones you want. None of them run unless you explicitly turn them on.

The recommended approach is a dedicated profile for your mail-sending hosts so deliverability alerts don’t mix with RBL alerts from non-mail infrastructure. Failures trigger the same notifications and webhooks as blacklist listings, so they drop straight into your existing incident workflow.

Full documentation is at docs.generatorlabs.com/email-deliverability.

Mr. DNS: Free DNS and Network Diagnostic Tools for Sysadmins and Email Teams

Leave a reply

Mr. DNS is a free collection of DNS and network diagnostic tools built for sysadmins, email administrators, and infrastructure teams. The site has been around for years, went offline for a while, and recently relaunched with an expanded tool set. Everything runs in the browser with no account required. If you work with DNS records, mail servers, or IP reputation, there is something here you will use regularly.

Mr. DNS homepage showing DNS and network diagnostic tools

DNS Tools

The DNS lookup tool handles all common record types: A, AAAA, MX, TXT, NS, SOA, CNAME, PTR, CAA, SRV, TLSA, HTTPS, MTA-STS, and BIMI. Results include TTL, geolocation data for nameservers, and flag icons for quick visual scanning.

The DNS propagation checker queries seven global resolvers simultaneously: Cloudflare, Google, Quad9, OpenDNS, AdGuard, NextDNS, and DNS.SB. Useful when you have just made a DNS change and need to see where it has landed without waiting or querying each resolver manually.

The DNSSEC checker validates the full chain of trust: DS records, DNSKEY records, RRSIG presence, and expiry. Good for confirming a DNSSEC deployment before and after changes.

Email Tools

The email tools are where Mr. DNS gets most of its daily use. The email health checker runs a combined SPF and DMARC evaluation and returns a letter grade (A through F) for your domain. One URL, one result, easy to share with a client or manager who needs a status report.

Mr. DNS email health checker showing an A grade for generatorlabs.com

Individual checkers are also available for SPF, DMARC, and DKIM when you need to dig into a specific record. The email header analyzer parses raw RFC 2822 headers and maps the full relay chain with per-hop timing and authentication results, useful for tracing a delivery failure or diagnosing a spam classification issue.

For teams managing outbound mail infrastructure, the MTA-STS checker validates DNS records and policy files, and the BIMI checker verifies SVG logos and VMC certificates for domains using brand indicators in supported mail clients.

Blacklist Checker

The blacklist checker queries your IP or domain against 15+ major RBLs and returns results in seconds. It is a solid first step when a client reports deliverability problems or when you are onboarding a new IP range and want a quick baseline.

For teams that need ongoing coverage rather than one-off checks, blacklist monitoring from Generator Labs runs continuous checks against hundreds of data sources and sends immediate alerts when a listing is detected. The free tier covers one host with no credit card required.

SSL and Network Tools

The SSL certificate checker inspects certificate details, expiry dates, SANs, issuer chain, and key type for any domain. Useful for a quick manual check before or after a certificate renewal.

For automated tracking across many domains, certificate monitoring from Generator Labs handles the ongoing work: scheduled checks, configurable expiry alert thresholds, and multi-channel notifications before anything expires.

Other network tools include ping, traceroute, port checker, HTTP headers inspector, HTTP/2 and HTTP/3 checker, and a what is my IP tool that detects both IPv4 and IPv6 with geolocation and ASN data.

Generators

Mr. DNS includes generators for SPF records and DMARC records for teams setting up email authentication from scratch. Both walk through the options and output a ready-to-paste DNS record.

Bottom Line

Mr. DNS covers the diagnostic side of DNS and email infrastructure without requiring an account or payment. For the monitoring side, Generator Labs provides continuous blacklist monitoring and certificate monitoring with alerting, picking up where the one-shot tools leave off. Both are worth bookmarking if you manage any kind of mail or DNS infrastructure.

What Is DMARC and Why Is It Important?

2 Replies

Originally Posted on the Generator Labs Blacklist Monitoring Blog.

DMARC, or “Domain-Based Message Authentication, Reporting, and Conformance”, allows a domain owner to publish policies in DNS, telling remote mailers what to do with messages that do not align with these polices. DMARC is built on top of two existing technologies: SPF, or “Sender Policy Framework”, and DKIM, or “DomainKeys Identified Mail”.

By publishing a DMARC policy via DNS, domain owners can instruct remote mailers on what to do with messages that do not pass either a SPF or DKIM test. It also provides a mechanism for reporting under those policies. This gives remote mailers a channel for letting domain owners know that they received messages that did or did not align with those policies.

Why Is This Good?

The main goal of DMARC (and SPF and DKIM), is to detect and prevent email spoofing. For example, phishing scams that are designed to look like they’re coming from your bank or Paypal, prompting you to click on a link to reset your password or to give them your information.

Ultimately, SPF and DKIM are doing the hard work here. By designating email systems that are permitted to send email for a domain, and by cryptographically signing messages to avoid header modification en-route.

But DMARC ties the two technologies together, providing a single interface for instructing remote mailers on the domains policies, and actions to take when not met. It also opens up the possibilities of adding additional anti-spoofing or SPAM control software, which could also be handled under the DMARC umbrella.

For Example

As a domain owner of example.com, I can publish both SPF and DKIM records identifying my mail system (x.x.x.x) as the only authorized mail relay for my domain. I can then publish a DMARC record that tells remote mailers, that they should reject any messages that do not pass both a SPF and DKIM check, and that they should send reports to abuse@example.com to let me know if and when this happens.

A DMARC policy record, via a DNS TXT record, using the hostname _dmarc.example.com, would look something like this:

"v=DMARC1;p=reject;rua=mailto:abuse@example.com"

If a remote mail receives an inbound email from an email address @example.com, but not from my mail system (x.x.x.x), the SPF check should fail, and they should reject the email in accordance with my DMARC policy.

Technologies like DMARC, SPF, and DKIM are great tools in the seemingly never ending fight against email SPAM and spoofing.

For more information, see: