EMAIL-001 critical DNS Authentication
MX records configured
MX records exist, resolve, and are reachable on port 25 for all domains in email inventory
Question to ask
"Are you sure mail to your domain actually lands somewhere?"
Verification guide
Severity: Critical
MX records determine where email for your domain is delivered. Without proper MX records, you cannot receive email and sending reputation suffers.
Check automatically:
- Query MX records for each domain in inventory:
# Root domain
dig MX example.com +short
# Subdomains (if they receive email)
dig MX mail.example.com +short
- Verify MX hosts resolve:
# For each MX host returned
dig A mx1.example-provider.com +short
- Verify MX hosts are reachable on SMTP port:
# Test SMTP port connectivity (timeout 5 seconds)
nc -zv mx1.example-provider.com 25 -w 5
- With Cloudflare API (preferred):
# List all MX records in zone
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=MX" \
-H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {name, content, priority}'
Ask user:
- "What domains should have email infrastructure?" (build inventory)
- "What mail provider do you use?" (Google Workspace, Microsoft 365, etc.)
Pass criteria:
- At least one MX record exists for each domain that receives email
- MX hosts resolve to IP addresses
- MX hosts are reachable on port 25
- Priority ordering makes sense (lower number = higher priority)
Fail criteria:
- No MX records for a domain that should receive email
- MX hosts don't resolve (NXDOMAIN)
- MX hosts unreachable on port 25
Evidence to capture:
- Domain inventory (root + subdomains)
- MX records per domain
- Mail provider identified
- Reachability status for each MX host