EMAIL-001 critical Email Authentication
MX records configured
MX records exist, resolve, and are reachable on port 25 for all domains in the domain inventory that receive email.
Question to ask
"Are you sure mail to your domain actually lands somewhere?"
What to check
- ☐ Query MX records for each domain in inventory
- ☐ Verify MX hosts resolve
- ☐ Verify MX hosts are reachable on port 25
Related items
Verification guide
Severity: Critical
MX records determine where email for your domain is delivered. Without proper MX records, you cannot receive email and sending reputation suffers.
Check automatically:
- Query MX records for each domain in inventory:
# Root domain
dig MX example.com +short
# Subdomains (if they receive email)
dig MX mail.example.com +short
- Verify MX hosts resolve:
# For each MX host returned
dig A mx1.example-provider.com +short
- Verify MX hosts are reachable on SMTP port:
# Test SMTP port connectivity (timeout 5 seconds)
nc -zv mx1.example-provider.com 25 -w 5
- With Cloudflare API (preferred):
# List all MX records in zone
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=MX" \
-H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {name, content, priority}'
Ask user:
- "What domains should have email infrastructure?" (cross-reference DNS-001 inventory)
- "What mail provider do you use?" (Google Workspace, Microsoft 365, etc.)
Pass criteria:
- At least one MX record exists for each domain that receives email
- MX hosts resolve to IP addresses
- MX hosts are reachable on port 25
- Priority ordering makes sense (lower number = higher priority)
Fail criteria:
- No MX records for a domain that should receive email
- MX hosts don't resolve (NXDOMAIN)
- MX hosts unreachable on port 25
Evidence to capture:
- Domain inventory (from DNS-001)
- MX records per domain
- Mail provider identified
- Reachability status for each MX host