Featuring the world’s angriest CEO, a mail server that thought it was 1995, and an SPF record that achieved sentience through sheer complexity.

TL;DR: Audit email configurations before they audit you. Find the broken MX records, untangle the SPF spaghetti, and make DMARC actually do something.

cat domains.txt \
 | mxfckup -c 30 \
 | tee mx-findings.txt

Use it: https://github.com/cybercdh/mxfckup

Max Mailroom was having a day. Not a good day, not a bad day, but the kind of day where you seriously consider whether becoming a forest ranger was still an option at 34. The trigger? A Slack message that simply said: “WHY IS NO ONE GETTING MY EMAILS?!?! - CEO”

Three exclamation marks and question marks. In caps. From the CEO. Max’s coffee mug (Gerald IV, ceramic, concerned) seemed to lean away from the screen.

The investigation started simply enough. “It’s probably just a spam filter,” Max thought, with the optimism of someone who hadn’t yet discovered the horrors lurking in their DNS records. Five minutes later, Max was staring at an SPF record that looked like someone had tried to write a novel in DNS syntax:

v=spf1 include:spf.vendor1.com include:mail.vendor2.net include:esp.vendor3.com include:_spf.vendor4.io include:servers.vendor5.com include:mail.vendor6.org include:spf.vendor7.net ~all

“Gerald,” Max whispered, “I think our SPF record has achieved consciousness.”

But that was just the appetizer. The MX record pointed to mail.company.com. Which didn’t exist. Hadn’t existed for three years, according to the git blame. The backup MX? mx2.oldprovider.net, which helpfully returned “550 No such domain” like a bouncer at a club that burned down in 2019.

It was time for mxfckup—the tool Max built after the third “email apocalypse” that quarter. Think of it as a health checkup for your email, except instead of telling you to eat more vegetables, it tells you why half the internet thinks you’re a spammer.

Copy me:

# Minimal sweep: MX posture + BIMI peek
cat domains.txt \
 | mxfckup -c 30 \
 | tee mx-findings.txt

cat domains.txt | bimiprobe -c 40 | tee bimi.txt

If you’re doing it by hand because you love pain (relatable) and want to understand the failure modes:

# MX targets should be hostnames that resolve to A/AAAA (no CNAMEs)
dom=example.com
dig +nocmd MX "$dom" +noall +answer

# For each MX, resolve to IPs and check PTRs
for mx in $(dig +short MX "$dom" | awk '{print $2}' | sed 's/\.$//'); do
  echo "== $mx =="
  ips=$(dig +short A "$mx"; dig +short AAAA "$mx")
  if [ -z "$ips" ]; then echo "no A/AAAA for $mx"; fi
  for ip in $ips; do
    ptr=$(dig +short -x "$ip" | sed 's/\.$//')
    echo "$ip -> PTR: ${ptr:-none}"
  done
done

# SPF and DMARC
dig +short TXT "$dom" | tr -d '"' | rg -i '^v=spf1' || echo 'no SPF'
dig +short TXT _dmarc."$dom" | tr -d '"' || echo 'no DMARC'

SPF include chains are where good intentions go to nap and never wake up. Here’s a tiny helper to count depth:

# spf_depth.py
import re, sys
seen=set()
def depth(record):
  inc = re.findall(r'include:([^\s]+)', record)
  return len(inc)
print(depth(sys.stdin.read()))

spf=$(dig +short TXT example.com | tr -d '"' | rg -i '^v=spf1' -m1)
echo "$spf" | python3 spf_depth.py

STARTTLS sanity (don’t be loud; one probe is enough; you are a guest):

mx=$(dig +short MX example.com | sort -n | awk '{print $2; exit}' | sed 's/\.$//')
echo | openssl s_client -quiet -starttls smtp -connect "$mx:25" -servername "$mx" 2>/dev/null | head -n 1

What mxfckup flags, translated into normal person:

  • MX target doesn’t resolve to A/AAAA, or uses a CNAME (don’t).
  • MX IP PTR missing or mismatched (hurts deliverability).
  • SPF missing or with absurd include depth and softfails everywhere.
  • DMARC missing or p=none forever (policy without teeth).
  • BIMI missing or SVG broken (nice-to-have, great for brand).

Report snippet (paste into ticket or program):

Title: Email posture issues (MX resolution, SPF depth, DMARC policy)

Domain: example.com
Findings:
  - MX: mx1.mailhost.tld has no A/AAAA (NXDOMAIN)
  - PTR: 203.0.113.10 -> none (reverse missing)
  - SPF: include depth 7; uses ?all with many softfail paths
  - DMARC: p=none; adkim=r; aspf=r (monitor-only)
  - BIMI: no BIMI record present
Impact: Delivery failures, spoofing risk, and brand trust degradation.
Recommended:
  - Ensure MX targets resolve to A/AAAA; avoid CNAME; add PTR for all MX IPs
  - Reduce SPF includes (<5) and move to ~all or -all with alignment
  - Set DMARC to p=quarantine/reject after trial; tighten adkim/aspf as appropriate
  - Add BIMI (optional) once DMARC at enforcement and DKIM/SPF stable
Notes: Metadata-only checks; no content or auth paths touched.

The mxfckup report was a masterpiece of controlled chaos:

CRITICAL: mx1.company.com - NXDOMAIN (your mail server is imaginary)
WARNING: SPF include depth: 7 (RFC suggests you calm down)
WARNING: SPF lookup count: 14/10 (you have exceeded the speed of light)
FAILURE: DMARC policy: p=none; pct=0 (this does literally nothing)
WARNING: No BIMI record (your brand has no face)
INFO: PTR for 203.0.113.45: none (mail servers think you're sketchy)
CRITICAL: mx2.oldprovider.net - connection refused (the backup is also dead)

Max spent the next four hours in DNS purgatory, but emerged victorious:

  1. The MX Resurrection: Pointed to actual, living mail servers that existed in this dimension
  2. The SPF Diet: Consolidated seven includes into three, like Marie Kondo for DNS records
  3. The DMARC Awakening: p=quarantine with actual enforcement, because actions have consequences
  4. The PTR Redemption: Reverse DNS that actually reversed, revolutionary concept
  5. The BIMI Debut: A logo that looked like a logo, not a ransom note

By 6 PM, emails were flowing. The CEO’s “THANK YOU!!!” (still too many exclamation marks, but positive ones now) arrived instantly. Max looked at Gerald IV with the satisfaction of someone who’d just defused a bomb made entirely of DNS records.

“Gerald,” Max said, “we’ve prevented the email apocalypse. Again.”

Gerald IV maintained ceramic silence, but it was a proud silence.

The lesson? Email is like a Rube Goldberg machine designed by committee—it shouldn’t work, but when it does, it’s beautiful. And when it doesn’t, you need mxfckup and a mug named Gerald.

Your email configuration is probably broken right now. You just don’t know it yet. Run mxfckup. Save yourself the CEO panic. Trust Gerald.