How to test email configuration on Mail-Tester and reach score 10 of 10
How to test email configuration on Mail-Tester, verify SPF DKIM DMARC score and fix failures before sending production campaigns.
Before putting any email flow into production — transactional signup, password recovery, billing notifications or newsletters — you need to validate that the server sends properly authenticated messages. Without SPF, DKIM and DMARC well configured, your messages go to spam even with legitimate content, and no serious provider (Gmail, Outlook, iCloud) delivers to inbox.
Mail-Tester is the industry-standard tool for this validation. It is free for three daily tests, generates a detailed report in seconds and assigns a score from 0 to 10 covering authentication, formatting, IP reputation, SpamAssassin signals and blacklists. Reaching 10/10 does not guarantee inbox placement at every provider, but a score below 8 guarantees problems.
This tutorial is for sysadmins and developers who already have Postfix (or another MTA) running on a Linux VPS and need to validate the configuration before going to production. Estimated time: 20-30 minutes for the first test, plus the time to fix each failure found.
Prerequisites
You need a Linux VPS with Postfix installed and running, sudo access on the server, control of the domain DNS (Cloudflare, Registro.br, etc) and a client capable of sending authenticated email — it can be sendmail itself, swaks, or a PHP/Python script.
Postfix 3.6+ Ubuntu 22.04 / 24.04 LTS 25 (outbound) and 587 (submission) swaks or mail Confirm that Postfix is running before continuing:
sudo systemctl status postfixIf the output shows active (running), you are ready. Otherwise, install and enable it with sudo apt install postfix && sudo systemctl enable --now postfix.
Generate the unique address on Mail-Tester
Each Mail-Tester run uses a unique, disposable address that expires in 45 minutes. You send an email to that address, open the report page and the service analyzes the message.
Open mail-tester.com in a browser tab. The homepage shows an address in the format [email protected].
Copy that entire address — you will use it as the recipient in the next step. Do not reload the page before sending the email, otherwise the address changes and the report stays empty.
On the server, install swaks (Swiss Army Knife for SMTP), which makes it easy to test authenticated sending with custom headers:
sudo apt install -y swaksswaks runs on Perl, takes less than 200 KB and accepts fine-grained control of HELO, From, To, headers and body — useful for reproducing exactly what your application sends in production.
Send the test email replacing yourdomain.com with your real domain and the Mail-Tester address generated in step 01:
swaks --to [email protected] \
--from "[email protected]" \
--server localhost \
--h-Subject "Mail-Tester test $(date +%F)" \
--body "Test content to validate SPF DKIM DMARC authentication."If everything went well, swaks shows 250 2.0.0 Ok: queued as ... on the last line. That code is the server confirming it accepted the message for delivery.
Go back to the Mail-Tester tab and click “Then check your score”. Within 30 seconds the report appears with the score on the left side and the detailed analysis on the right.
If the report shows “We did not receive your email yet”, wait another 60 seconds and click again. Postfix can take time to process the queue if there are stuck messages; check with mailq on the server.
Interpret the report and deductions
The Mail-Tester score starts at 10 and deducts points for each failure. The main categories are authentication (SPF/DKIM/DMARC), content (HTML formatting, links, message weight), reputation (IP on public blacklists) and identification (rDNS, valid HELO).
SPF failure
If the report shows “SPF: softfail” or “no SPF record”, the domain did not publish authorization for your server IP to send. Solution: add a TXT record to the DNS zone:
yourdomain.com. IN TXT "v=spf1 ip4:203.0.113.45 -all"Replace 203.0.113.45 with your VPS public IPv4. The -all at the end is hardfail — any IP outside the list is rejected. Use ~all (softfail) only during migration; in production, hardfail is standard.
DKIM failure
DKIM requires a signed key that proves the email left your domain without alteration in transit. Postfix alone does not sign DKIM — you need OpenDKIM running as a milter.
Install and configure OpenDKIM:
sudo apt install -y opendkim opendkim-tools
sudo mkdir -p /etc/opendkim/keys/yourdomain.com
cd /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -s mail -d yourdomain.com
sudo chown opendkim:opendkim mail.privateThis generates two files: mail.private (private key the server uses to sign) and mail.txt (DNS record to publish).
Publish the contents of mail.txt as a TXT record in DNS. The file has the format:
mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSq..."Paste exactly the value between the quotes in the DNS panel. Wait 5-10 minutes for propagation and validate with dig TXT mail._domainkey.yourdomain.com +short.
DMARC failure
DMARC instructs the receiving provider on what to do if SPF or DKIM fail. Without DMARC published, Mail-Tester deducts 1.0 point. Add:
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; aspf=s; adkim=s"The policy p=quarantine sends failing emails to the spam folder — the safer policy to start with. After a week of clean reports via rua, evolve to p=reject.
Missing reverse DNS
If the report shows “Your message could not be tested” or “PTR record missing”, the VPS IP has no rDNS configured. Without PTR, Gmail and Outlook reject outright.
PTR is registered in the reverse zone of the IP, controlled by the provider that allocates the block. On Hostini VPS, configure rDNS through the panel under VPS > IPs > rDNS. Other providers may require opening a ticket.
Verification
After applying SPF, DKIM, DMARC and rDNS, generate a new address on Mail-Tester (do not reuse the previous one) and repeat steps 01 to 04. The report should show:
SPF: pass
DKIM: pass (signed by yourdomain.com)
DMARC: pass
PTR: ptr.yourdomain.com
SpamAssassin: 0.0 / negative is good
Score: 10/10If you have not reached 10 yet, the report points out exactly each deduction. The most common errors that remain at this stage are SpamAssassin reacting to content (shortened URLs, trigger words) or the IP being on some minor blacklist — click each item to see the detail.
Troubleshooting
Low score from SpamAssassin
If the report shows SpamAssassin: 2.3 or similar, open the section and read each rule that fired. Common rules: HTML_MESSAGE (also send a plain text version), MIME_HTML_ONLY (same problem), HTML_IMAGE_RATIO_02 (HTML is almost all image, little text). Fixing the content zeroes out this category without touching server configuration.
IP on a blacklist
Mail-Tester checks against ~10 public blacklists (Spamhaus, SORBS, Barracuda). If “Listed on X” appears, visit the blacklist site and follow the delisting process — usually it is a simple form explaining the legitimate use of the IP. Spamhaus typically delists commercial IPs within 24h.
DKIM fails even with the key published
Confirm that mail.private on the server matches EXACTLY the p= published in DNS. If you generated the key twice during setup, the old version may be on disk and the new one in DNS — and the signature never matches. Clean /etc/opendkim/keys/ and regenerate from scratch.
Confirm with:
opendkim-testkey -d yourdomain.com -s mail -vvvExpected output: key OK. Anything else indicates a mismatch between the local file and the published DNS.
Next steps
A 10/10 score on Mail-Tester is the floor, not the ceiling. To go further:
- Configure aggregate DMARC reports (
rua) and parse them with Postmark DMARC Monitor or dmarcian — that way you see spoofing attempts in real time. - Implement BIMI (Brand Indicators for Message Identification) to display your logo in the Gmail and Yahoo Mail inbox — requires DMARC at
p=rejectand a VMC certificate. - Test inbox placement at real providers with GlockApps or Mailtrap — these services send to seed accounts at Gmail, Outlook, Yahoo and report where the message landed (inbox, promotions, spam).
- Monitor reputation continuously via Google Postmaster Tools and Microsoft SNDS — both free, showing volume, spam rate and IP reputation.
If you are putting this flow into production at scale, a Hostini VPS already comes with rDNS configurable through the panel and IPs with clean reputation, with no need for long warm-up before sending significant volume.
Frequently asked questions
Why did my score start at 10/10 and drop to 8 hours later?
Mail-Tester generates a new address for each test — it expires in 45 minutes. If you reuse an old address, the service blocks it or reports inconsistent data. Always generate a fresh address before each test round.
Can I reach 10/10 without a DMARC record?
No. Mail-Tester deducts between 0.5 and 1.0 point if SPF, DKIM or DMARC are missing. For maximum score, all three must be published and aligned with the From header domain.
My SPF passes on Mail-Tester but Gmail sends to spam — why?
Mail-Tester evaluates technical configuration. Gmail also factors in IP reputation, historical volume and engagement. New IPs or those from residential ranges can be greylisted even with perfect SPF, DKIM and DMARC. Gradual IP warm-up solves this.
Mail-Tester reports a positive SpamAssassin score — is that bad?
Yes. SpamAssassin assigns positive points for suspicious traits (shortened URLs, excess exclamation marks, URL/anchor text mismatch). Each point above zero costs you score. Review the email content following the list of rules the report shows.
How many free tests does Mail-Tester allow?
Three tests per day per IP on the free plan. Above that the site shows a paywall. For heavy development, alternatives like GlockApps or Mailtrap run separate quotas and offer inbox placement at real providers (Gmail, Outlook, Yahoo).
Do I need a dedicated IP to reach 10/10?
Not for the score itself — a clean shared IP passes SPF/DKIM/DMARC normally. But for high-volume sending (>1,000 emails/day) a dedicated IP avoids being dragged down by other tenants' reputation on the shared IP.