ITAM / Domains

Domain Health

One score and a clear checklist for DNS, email authentication, SSL, and reputation, so Carlos can fix issues before customers notice.

Real-world scenario

Carlos Reyes · IT Admin at Bluewave Labs

Google Postmaster flagged weak DMARC on a WorkVerge sending domain. Carlos runs a health check on mail.workverge.ai, sees DMARC missing from the score breakdown, and opens a ticket with the exact fix.

Before you begin

  • Domain added in WorkVerge
  • Permission to view domain detail

Overview

Domain Health combines DNS, email authentication (SPF, DKIM, DMARC), SSL validity, spam blacklist (RBL) status, and Google Safe Browsing into a single 0–100 score. You run checks from the domain detail drawer; results also feed the health score column on the domains list.

For example

WorkVerge targets a score of 85+ on production domains. Staging hostnames tagged staging may score lower until DMARC is relaxed, that is expected.

Health score

WorkVerge adds points from each category below. The total is capped at 100.

  • A record: At least one A record resolves8 pts
  • MX record: Mail exchange records present7 pts
  • SPF valid: TXT record with valid v=spf1 structure15 pts
  • DKIM valid: DKIM selector found15 pts
  • DMARC valid: TXT record with v=DMARC115 pts
  • SSL valid: 20 if >30 days left, 14 if >7, 8 if >08–20 pts
  • Not blacklisted: IP not on major RBL lists10 pts
  • Safe Browsing: 10 if safe, 5 if unknown5–10 pts

SSL points depend on expiry

A certificate with fewer than 7 days left earns fewer SSL points even if still technically valid. Renew early or use auto-renew via Let's Encrypt / Cloudflare to keep the score high.

What gets checked

  • DNS. A, AAAA, MX, NS, and TXT records
  • SPF. Sender Policy Framework (v=spf1 with valid terminator)
  • DKIM. Common selectors on the domain
  • DMARC. Policy record (v=DMARC1)
  • SSL. Certificate validity and time until expiry
  • RBL. Spamhaus, Barracuda, SpamCop, SORBS
  • Safe Browsing. Google Safe Browsing status for the hostname

Scheduled jobs can also refresh health data periodically, so scores may update without a manual re-check.

Run a health check

  1. 1

    Open the domain detail drawer

    From ITAM → Digital Assets → Domains, click the domain you want to assess (e.g. workverge.ai).

  2. 2

    Select the Health Check tab

    If no check has run yet, you will see a prompt to run the first scan.

  3. 3

    Click Run Health Check or Re-check Now

    WorkVerge queries DNS, email authentication, SSL, blacklists, and Safe Browsing, then stores results.

  4. 4

    Review score and findings

    Use the breakdown to fix gaps, missing DMARC, expiring SSL, or blacklist hits, before they affect deliverability or trust.

Related articles