When a client opens a ticket with “our email is going to spam” or “Microsoft is rejecting messages from us,” the first instinct is to ask which message, which sender, which receiver — and the answer is usually “all of them.” Before you dig into headers, you want a one-screen view of the domain’s email-authentication posture: do the basic records exist, are they syntactically valid, and is anything obviously broken. That is the job of PortJar’s Email DNS Health Check.
What the tool does
It runs six independent checks against the domain and returns each as a pass/fail with detail. The set is opinionated: MX presence and shape, SPF presence and validity, DMARC policy and alignment fields, MTA-STS policy availability, TLS-RPT reporting endpoint, and the consistency of the records relative to each other. Each check is shallow — it’s a posture scan, not a forensic audit — but together they answer “is this domain set up to send and receive mail like a 2026 sender should be.”
The tool deliberately does not try to be the deep parser. When the SPF check flags a problem, you drop into PortJar’s SPF Lookup & Parser to see the mechanism-by-mechanism breakdown. When DMARC needs interpretation, the dedicated DMARC parser is one click away. Health Check’s job is to tell you which of the six layers to investigate next.
How to use it
Open portjar.com/tools/email-health, enter the domain, and read the result row by row. Each row is independent: a green MX with a red MTA-STS is a real and common shape, not a contradiction. Hand the URL to a client who wants to see “all the things you’d check”; the output is plain enough for a non-engineer to follow.
Run it at the start of every mail-deliverability ticket. It takes less than five seconds and frequently saves the next twenty minutes of guessing where the problem lives.
When you’d reach for it
- A client reports mail is bouncing or hitting spam and you need fast triage before deciding whether the gap is authentication, routing, or content. PortJar’s “email going to spam” troubleshooting guide treats this as the first checklist step.
- Onboarding a new domain to a managed mail platform and wanting a pre-flight check that MX, SPF, and DMARC are publishable before you flip the MX cutover.
- After a SaaS vendor change — Mailchimp, HubSpot, Postmark — to confirm the new sender’s include statement made it into SPF and DMARC alignment didn’t break.
- Periodic posture review on a fleet of domains, where you want to spot the one that quietly lost its DMARC record during a registrar migration.
- Investigating an MTA-STS or TLS-RPT requirement asked by a customer or regulator — the Health Check tells you in seconds whether either is published.
What to make of the output
All six green is the goal, and is achievable on every domain we manage. Anything red needs a follow-up but the urgency varies.
A red MX on a domain that should receive mail is the highest priority — it means the domain is not advertising any mail server, and inbound delivery will fail outright. Confirm with PortJar’s MX Diagnostics that the underlying records exist and resolve.
A red SPF usually means one of three shapes: no SPF record at all (publish one), an SPF with broken syntax (fix the typo), or SPF that exceeds the 10 DNS lookup limit (flatten it or split senders). The per-tool SPF parser will tell you which.
A red DMARC on a domain that has SPF and DKIM but no DMARC means the domain has authentication but no policy — receivers fall back to their own heuristics. Publishing at minimum p=none with a rua mailbox costs nothing and gives you visibility.
A red MTA-STS or TLS-RPT is the most common pattern and the lowest priority. These are newer signals — they raise inbox reputation and help with TLS enforcement, but their absence rarely causes a deliverability incident. Plan to add them on a calm day, not in the middle of a fire.
A green-across-the-board result on a domain that still has deliverability problems means the problem is not in DNS — it’s in IP reputation, content, sending volume, list hygiene, or DKIM signature alignment on the actual messages. Move to message-level diagnostics.
Stack Harbor runs Email DNS Health Check on every domain we onboard to a managed mail platform as part of Deployment Management.