Sample paid deliverable
A fully branded, plain-English diagnostic report combining DNS checks, message-header evidence and practical recommendations.
Sample based on the sandbox Email Desk workflow. Not a final client report.
Your domain has working Microsoft 365 mail routing and SPF is present, but the setup needs attention before it can be considered properly healthy.
The main concerns are a missing public DMARC record, public DKIM selector records not being visible where expected, and some mixed authentication evidence from the received test message. These are exactly the sorts of issues that can contribute to messages being treated cautiously by Gmail, Outlook/Hotmail and other receiving platforms.
What we found: Mail for the domain routes to Microsoft 365.
What this means: The primary mailbox routing appears correct. This is not where the main risk appears to be.
Recommendation: No urgent MX change. Keep Microsoft 365 as the source of truth unless mail is intentionally routed elsewhere.
What we found: SPF exists and includes Microsoft 365, but contains the same IP address twice.
What this means: SPF is not missing, but it should be tidied. Duplicate entries are not usually catastrophic, but they make records harder to audit and suggest legacy sending sources may not be fully controlled.
Suggested fix: Confirm whether 185.41.10.120 still sends legitimate mail for the domain. If yes, keep a single entry. If not, remove it. Keep include:spf.protection.outlook.com for Microsoft 365.
What we found: Public lookup for _dmarc.willcoxmedia.net returned no DMARC record.
What this means: DMARC gives receiving mail servers policy guidance and reporting. Without it, the domain has less control over spoofing protection and less visibility into authentication failures.
Suggested starter fix:
Start at p=none to collect/report without disrupting mail, then move gradually towards quarantine or reject once all senders are confirmed.
What we found: Public selector checks for the custom domain did not return expected Microsoft 365 selector CNAME/TXT records.
Microsoft 365 usually expects selector CNAME records at the custom domain pointing to Microsoft-hosted selector records. One Microsoft-hosted selector record was visible, but the custom-domain selector route did not resolve in the basic public lookup.
Suggested fix: In Microsoft 365 admin / Defender, confirm DKIM is enabled for willcoxmedia.net. Add or correct the selector CNAME records Microsoft provides, then send a fresh test email and confirm DKIM passes using header.d=willcoxmedia.net.
What we saw: The test email arrived and included Microsoft authentication evidence. Some upstream Microsoft ARC results showed SPF, DKIM and DMARC pass signals, while the final receiving-side header also showed dkim=none and dmarc=none.
What this means: This needs careful handling. It may indicate forwarding/header interpretation, missing visible custom DKIM records, or differences between Microsoft 365 user mail and third-party invoice sending.
Suggested fix: Run separate test emails from: 1) normal Microsoft 365 mailbox, 2) QuickBooks invoice sender, 3) website/contact form if used. Compare SPF/DKIM/DMARC alignment for each path.
Begin with monitoring mode so reports can be collected safely. Do not jump straight to reject until all sending services are known.
Confirm DKIM is enabled for the custom domain and that selector CNAME records resolve publicly.
Remove duplicate IP entries and verify whether the hosting server still sends legitimate mail for the domain.
Because the reported issue is invoice-related, send a real QuickBooks invoice/test message and inspect its headers. It may authenticate differently from normal Microsoft 365 mail.
Send new test messages to Gmail, Outlook/Hotmail and Email Desk. Confirm the visible Authentication-Results improve.
These are examples only. Final values should be checked against Microsoft 365, QuickBooks and any website/hosting senders before changing DNS.
If the hosting IP no longer sends legitimate mail, remove it:
Create the reporting mailbox or use a DMARC reporting service before publishing a rua address.
Use the exact CNAME values provided by Microsoft 365 admin for the domain. Do not guess production DKIM selector records.
The £99 Email Health Check gives you the diagnosis and recommended fixes. If you would rather not edit DNS, Microsoft 365, QuickBooks or website settings yourself, the next step is a Delivery Fix.
This report cannot guarantee inbox placement. Gmail, Microsoft, Yahoo and other providers apply private filtering rules that change over time. The report identifies technical setup issues, authentication evidence and sensible next steps to reduce avoidable delivery problems.
Prepared by Email Desk — Email delivery, sorted properly.