Email Domain Health Check

Enter a domain to check its SPF, DKIM, and DMARC configuration. Results include a security score framed around HIPAA email security expectations.

Enter the domain without https:// or path, for example example.com.
DKIM has no enumeration protocol, so by default we brute force a common selector wordlist. If you know your selector (for example hostingcp for Enhance or KSWeb, selector1 for Microsoft 365, google for Google Workspace), enter it here to force a direct lookup.
This tool performs read only DNS lookups. No data about scanned domains is stored by visuaFUSION.

Why Your Email Domain Security Score Matters for Rural Healthcare

Your email domain score reflects how well your organization's email authentication is configured - specifically your SPF, DKIM, and DMARC records. These three DNS-level controls determine whether your domain can be trusted by the receiving mail servers that your staff, vendors, and patients use.

A score of 10 out of 10 means your domain is configured to reject unauthorized mail at the protocol level, before it reaches any inbox. A lower score means attackers have room to impersonate your domain, and receiving systems have less ability to tell the difference between your legitimate mail and a phishing attempt wearing your organization's name.

For rural healthcare organizations in particular, the stakes of that difference are higher than in most industries.

What SPF, DKIM, and DMARC Actually Do

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving mail server sees a message claiming to come from your organization, it can check your SPF record to see if the sending server is on your approved list.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outbound messages. Receiving servers verify the signature against a public key published in your DNS. A valid signature proves the message actually came from your mail system and was not modified in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the enforcement layer that ties SPF and DKIM together. Your DMARC policy tells receiving mail servers what to do when a message claiming to be from your domain fails SPF or DKIM checks. At the strongest setting (p=reject), receiving servers are instructed to reject those messages outright.

Individually, each of these is a piece of the puzzle. Together, and configured correctly, they form the protocol-level foundation of email authentication. A 10 out of 10 score on this tool indicates all three are present, valid, and configured to enforce rather than merely observe.

Why Rural Healthcare Organizations Are Targeted

Rural hospitals, clinics, and critical access facilities face a threat landscape that is often underestimated. Attackers specifically target rural healthcare for several reasons:

  • Limited IT staff and budget often means security configurations drift over time or remain at permissive defaults
  • High-value data including protected health information (PHI), financial information, and Medicare/Medicaid billing details
  • Operational pressure means staff are busy and less likely to scrutinize inbound mail that looks routine
  • Trust relationships with patients mean a single successful spoof of the organization's domain can reach patients who trust messages appearing to come from their healthcare provider

Phishing and business email compromise (BEC) remain among the most common entry points for ransomware incidents in healthcare. Ransomware that starts with a phishing email and ends with a rural hospital diverting ambulances is not a hypothetical scenario. These incidents happen, and they disproportionately affect organizations with weaker authentication controls.

HIPAA and Email Authentication

It is worth being precise about what HIPAA requires. HIPAA's Security Rule requires covered entities to implement "reasonable and appropriate" safeguards to protect electronic PHI, but it does not specifically mandate SPF, DKIM, or DMARC by name. Anyone who tells you otherwise is overstating the regulation.

However, strong email authentication is widely recognized as a reasonable and appropriate safeguard for healthcare organizations that use email to communicate about patients, coordinate care, or exchange operational information. The HHS Office for Civil Rights, the HICP (Health Industry Cybersecurity Practices) guidance, and industry frameworks like the HITRUST CSF all point toward email authentication as a baseline control.

In practical terms: if your organization experiences a phishing incident that leads to a breach, and your email authentication was at permissive default settings, regulators and auditors will ask why. A properly configured domain scoring 10 out of 10 on this scanner demonstrates that email authentication is not the weak link.

What a 10 out of 10 Score Protects Against

Honest framing: a 10 out of 10 score does not prevent all phishing. It does prevent a specific category of phishing that is otherwise very difficult to defend against at the organization level.

A fully-enforced DMARC policy (p=reject) combined with a hardfail SPF record (-all) and valid DKIM signatures means that exact-domain spoofs - phishing messages where the attacker sets the From address to literally match your organization's domain - are rejected by the receiving server before they ever reach an inbox.

This is meaningful because exact-domain spoofing is both common and particularly dangerous. A message that appears to come from your CEO to your CFO, or from your billing department to your patients, carries implicit trust that external domains do not. Closing that vector at the protocol level is one of the highest-impact security improvements a healthcare organization can make.

What a 10 out of 10 score does not prevent:

  • Cousin-domain spoofs (where the attacker uses a similar but different domain)
  • Display-name spoofs (where the attacker uses your name but an unrelated email address)
  • Phishing from compromised legitimate third-party accounts
  • Content-based phishing that does not rely on spoofing your domain

Those remain real threats that require additional layers of defense. But they are smaller threats than the exact-domain vector that DMARC enforcement closes.

How Rural Healthcare Organizations Reach 10 out of 10

Getting to a 10 out of 10 score is methodical work, not a single configuration change. The process typically involves:

  1. Auditing all legitimate sources of mail for your domain (your primary email platform, third-party services, vendors sending on your behalf)
  2. Configuring SPF to accurately list all legitimate senders with a hardfail policy
  3. Publishing DKIM keys for all legitimate sending systems
  4. Deploying DMARC in monitoring mode (p=none) to observe actual mail flow
  5. Analyzing 30 or more days of DMARC reports to identify legitimate senders and spoofing attempts
  6. Progressing DMARC policy through quarantine (p=quarantine) to enforcement (p=reject) in stages
  7. Maintaining and monitoring the configuration over time as sending systems change

For most rural healthcare organizations, this progression takes 60 to 90 days from start to finish. The work is straightforward when you have the right expertise, but it is the kind of project that can stall without focused attention.

Need Help Reaching 10 out of 10?

visuaFUSION Systems Solutions works exclusively with rural healthcare organizations to deploy, monitor, and maintain SPF, DKIM, and DMARC as part of our HIPAA-aligned email security services. If your scan came back below 10 and you want to understand what it would take to close the gaps, contact us to discuss your environment.

We will not oversell what email authentication can do for you. We will tell you honestly what gap exists, what it would take to close, and whether that effort makes sense for your organization's risk profile and budget.

About us

We take care of your IT so you can take care of your patients.

Rural health care organizations deserve the same IT strength as large systems - without losing their independence. visuaFUSION Systems Solutions makes that possible with scalable, expert-driven support tailored to the unique needs of smaller providers.

Our HealthNet solution offers a shared enterprise-grade environment and IT department, allowing rural health care teams to benefit from centralized infrastructure, support, and upgrades - all while maintaining local control of their day-to-day operations and data.

We also provide affordable access to enterprise tools like Microsoft software, email encryption, backup solutions, systems management, and mobile device management - with pricing typically only available to large organizations. These services are available to any rural health care provider, whether or not they’re part of HealthNet.

Our mission is simple: empower rural health care organizations with the IT capabilities they need to stay secure, efficient, and focused on care - not complexity.

Contact Info

visuaFUSION Systems Solutions works exclusively with rural health care organizations. If you're trying to cut IT costs without sacrificing quality, we have a lot to talk about!

Phone and Email

If you'd rather give us a call or send an email, here’s how to reach us:

Time 8:00 AM – 6:00 PM CST
Day Monday to Friday
Telephone +1 (701) 540-0894
Email info@visuafusion.com

Quick contact