InboxShieldMini

Sample paid report

See the implementation brief before you buy

The free scan diagnoses the sender records. The paid report is built for the moment you need to make the DNS change safely: what to fix first, what record to add, where to add it, and how to verify it.

Run a free scanAsk a pre-purchase question

Example domain

example-saas.com

53/100

Repair recommended

Executive summary

Two sender-trust fixes should happen before the next campaign.

DKIM is the first implementation risk because the sending platform must generate the selector. SPF can be tightened after the active sender list is confirmed.

Authentication checks

SPF

WARN

Soft fail policy

The domain authorizes Google Workspace and SendGrid, but the record still ends in ~all.

DKIM

FAIL

Missing SendGrid selector

The common s1 and s2 selectors were not found, so marketing email may not be signed.

DMARC

WARN

Monitoring only

DMARC exists, but p=none means receivers are not told to quarantine or reject failed mail.

BIMI

WARN

Not ready yet

BIMI should wait until DMARC reaches quarantine or reject.

MTA-STS

WARN

Optional security gap

No MTA-STS policy was found for encrypted inbound transport.

DNS repair queue

Copy-paste records where safe

HIGH

DKIM

s1._domainkey

Generated inside SendGrid > Sender Authentication > Domain Authentication

This record must come from SendGrid because DKIM keys are provider-generated.

MEDIUM

SPF

@

v=spf1 include:_spf.google.com include:sendgrid.net -all

Use this only after confirming no other tools send from the domain.

MEDIUM

DMARC

_dmarc

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1

Move from monitoring to enforcement after legitimate mail passes SPF or DKIM.

Provider steps

Google Workspace

Admin Console > Apps > Gmail > Authenticate Email > generate or verify DKIM.

SendGrid

Settings > Sender Authentication > Domain Authentication > copy the CNAME/TXT records.

Cloudflare DNS

Website > DNS > Records > add each TXT or CNAME record, then wait for propagation.

What this does not do

InboxShield does not ask for registrar passwords, does not change DNS for you, and does not promise inbox placement. It gives you the sender-authentication repair plan and the verification steps.

Verification checklist

How you know the fix worked

01

Wait at least 15 minutes after DNS changes, then rerun the InboxShield scan.

02

Send a test message to Gmail and inspect Show original for SPF, DKIM, and DMARC pass states.

03

Keep DMARC reports on for one to two weeks before moving to stricter enforcement.

04

Document the final sender list so future marketing or billing tools do not break authentication.