Trust
We run our own audit.
And we publish the score.
Our DEFEND program audits trade-shop email security against five DNS
controls (SPF, DKIM, DMARC, mail-provider posture, reporting). We run
the same check on bluecollarlabs.org
every time this site builds — and we ship the result here, good or bad.
DNS posture audit
13/16 CRITICAL
Domain: bluecollarlabs.org · Last checked: May 6, 2026
Lower is better. 0–4 = Acceptable, 5–9 = Concerning, 10+ = Critical. Same scoring rubric we apply to clients in a paid DEFEND audit.
| Control | Score | Finding |
|---|---|---|
| B1 Mail provider | 1/4 | MX → *.google.com (Google Workspace) |
| B2 SPF policy | 2/4 | SPF soft fail (~all) — receivers may still accept spoofed mail |
| B3 DKIM signing | 2/4 | DKIM published on 1 selector (google) — verify all senders are signed |
| B4 DMARC policy | 4/4 | DMARC not published |
| B5 DMARC reporting | 4/4 | No DMARC reporting addresses (rua= missing) |
Why publish a bad score
If we hide our own gaps we have no business charging shops to find theirs. If the badge above says CRITICAL, it means we have work to do — and we'd rather you see that than pretend otherwise. Check back; the score updates on every deploy.
Want this for your shop?
A DEFEND audit covers the same five DNS controls plus inbox-rule forensics, signage, and a staff phishing drill. Plain-language report, no jargon, owner-readable.
See DEFEND →
Audit tool source: tools/bcl-dns-check in our public workspace.
No data leaves your network when we run this — DNS lookups only.