# Domains Analyser The domain analyser is a series of best practice checks that run on all your e-mail enabled domains across your delegated Microsoft 365 tenants. It analyses the DNS records that are available and assesses the following areas: * Sender Policy Framework (SPF) * Domain-based Message Authentication, Reporting & Conformance (DMARC) * DomainKeys Identified Mail (DKIM) * Domain Name System Security Extensions (DNSSEC) {% hint style="info" %} If this is your first ever run you may see an error initially because there is no data, please wait for the analyser to run or use the refresh button. {% endhint %} ## Page Actions

Check Individual Domain

This will open [individual-domains](https://docs.cipp.app/user-documentation/tools/tenant-tools/individual-domains "mention")

Run Analysis Now

This will add a task to the queue to update the analysis for the selected tenants. If you have offloading enable, this will begin at the next quarter hour. It can take several minutes for CIPP to check all the required tests.

## Table Details The table will display the results of CIPP's tests for all domains in the included tenant(s) from the [tenant-select](https://docs.cipp.app/user-documentation/shared-features/menu-bar/tenant-select "mention") dropdown.

Column	Description	Score Implications
Domain	The domain name being analysed.
Score Percentage	`(Score / 160) * 100`
Mail Provider	Name of the detected mail provider (e.g. Microsoft, Google, Unknown), derived from MX record lookup.
SPF Pass All	`true` if the SPF record passes all validation checks (zero validation failures).	SPF record present (exactly 1 record) → +10 pts SPF passes all validation → +20 pts Multiple SPF records or missing record → 0, adds explanation
MX Pass Test	`true` if MX record passes all validation checks (zero validation failures).	MX passes validation → +10 pts
DMARC Present	`true` if a DMARC record exists for the domain.	DMARC record found → +10 pts
DMARC Action Policy	The enforced DMARC policy. Values: `Reject`, `Quarantine`, `None`.	Policy = `reject` AND subdomain policy = `reject` → +30 pts Policy = `quarantine` → +20 pts Policy = `none` → 0 pts, adds "DMARC is not being enforced" to explanation
DMARC Reporting Active	`true` if at least one `rua` reporting email is configured.	Reporting active → +20 pts
DMARC Percentage Pass	`true` if DMARC percentage (`pct`) is set to 100.	pct = 100 → +20 pts pct < 100 → 0 pts, adds "DMARC Not Checking All Messages"
DNSSEC Present	`true` if DNSSEC passes with zero validation failures/warnings.	DNSSEC passes → +20 pts
DKIM Enabled	`true` if at least one DKIM record is found and passes validation (zero failures).	DKIM active and valid → +20 pts Uses configured selectors, falls back to Microsoft selectors if none set
Enterprise Enrollment	CNAME check for `enterpriseenrollment.<domain>`. Values: `Correct` — points to `enterpriseenrollment-s.manage.microsoft.com` `Legacy` — points to old `enterpriseenrollment.manage.microsoft.com` endpoint `Unexpected: <value>` — unknown CNAME target `No CNAME` — record missing	Adds to `ScoreExplanation` if not Correct, but contributes 0 pts.
Enterprise Registration	CNAME check for `enterpriseregistration.<domain>`. Values: `Correct` — points to `enterpriseregistration.windows.net` `Unexpected: <value>` — unknown target `No CNAME` — record missing	Adds to `ScoreExplanation` if not Correct, but contributes 0 pts.

{% hint style="info" %} Additional columns exist for informational purposes. Information from those columns is also used to build the Extended Info panel viewable from each row. {% endhint %} ## Table Actions

Action	Description	Bulk Action Available
Add/Modify DKIM Selectors	This will allow you to update the DKIM Selectors for the selected domain(s)	true
Delete from analyser	Deletes the selected domain(s) from the analyser	true
More Info	This opens an enhanced Extended Info flyout. Here you can view further detail on each test performed. Success/failure is easy to identify through the use of standard red/green colored icons next to each test. Additional features can help you review the results and dig deeper:	false

### Reviewing the Extended Information Panel #### Settings You can click the settings icon to toggle the visibility of additional options for the domain check. Here you can set specific SPF records, a DKIM Selector, or set HTTPS subdomains to check. Click `Check` to run the tests again after configuring your desired options. #### Results List The test results will display below with the following features: * Easy to identify pass/fail indicators using green check marks for pass and red exclamation marks for fail. * Detailed information on the information returned for each test including the same pass/fail for multi-part tests * A three dots icon that will open a further Extended Info window allowing you to view the full results of that specific test. * A question mark icon that will launch external documentation on how to influence the test results. ## Common Problems * This feature requires that your Secure Application Model (SAM) app has the delegated permission `Domain.Read.All`. * You must give adequate time for the Best Practice Analyser to run. In an environment with 100 tenants this takes on average 2 minutes. * Check that your permissions are correct by navigating to **CIPP > Application Settings > Permissions** and review the results of Permissions Check. * Make sure both CIPP-API and CIPP are fully up to date. There is extensive logging in the log files in the CIPP-API Function App. *** ## Feature Requests / Ideas We value your feedback and ideas. Please raise any [feature requests](https://github.com/KelvinTegelaar/CIPP/issues/new?assignees=\&labels=enhancement%2Cno-priority\&projects=\&template=feature.yml\&title=%5BFeature+Request%5D%3A+) on GitHub.