Every signal we check, every weight, every verdict band — documented. The verdict your estate gets is reproducible: same DNS, same result. No black box, no proprietary cooperative average. You can verify any finding yourself with dig and a Spamhaus lookup.
Methodology v2.4 · external-only · last updated 2026-05-27
Folderly Lens queries only public, observable signals — the same records a mailbox provider's reputation engine reads when it decides whether to trust your mail. Zero access to your sending platform. No API keys, no inbox connection, no test sends.
The live in-page scanner runs these per domain or IP, in parallel, in real time:
| Signal | What it tells us | Standard |
|---|---|---|
| SPF record | Is sending authorised, and is the policy enforced (-all) or soft (~all)? Detects multiple SPF records, null SPF values, duplicate includes, void include/redirect targets, and recursive lookup count vs the RFC cap of 10. | RFC 7208 |
| DKIM signature | Is a signing key published? What bit-length (512-bit is broken, 1024-bit deprecated, 2048-bit current)? | RFC 6376 · RFC 8301 |
| DMARC policy | Published and enforced (p=reject/quarantine), or published-but-unenforced (p=none) — the latter reads as a deliberate opt-out. | RFC 7489 |
| MX records | Mail routing present and consistent. Shared-pool detection (e.g. Microsoft 365 outbound resold as "isolated"). | RFC 5321 |
| Domain blacklist scan | Reverse-IP and domain-oriented lookups across the live collector's public DNSBL set: Spamhaus ZEN, Spamhaus DBL, Barracuda, SpamCop, SORBS, PSBL, UCEPROTECT-1. | DNSBL standard |
| IP reputation scan | Direct sending IP checks for PTR/rDNS, forward-confirmed rDNS, RDAP ownership context, and public IP RBL probes across Spamhaus ZEN, SpamCop, Barracuda, SORBS, UCEPROTECT-1, PSBL, Hostkarma, Mailspike, SpamRATS, SpamRATS Dyna, Truncate, NordSpam, DroneBL, and Manitu. | DNSBL + PTR/rDNS + RDAP |
Each domain accrues a risk score — the sum of the weights of every negative signal that fired. The displayed Lens score is 100 − risk, so higher is healthier. Selected weights:
| Signal fired | Risk weight |
|---|---|
| Listed on Spamhaus ZEN / SURBL | +40 |
| Sending IP listed on multiple public RBLs | +35 each |
| No DMARC record | +25 |
DMARC published but p=none (unenforced) | +25 |
| Sending IP has no PTR/rDNS | +20 |
| No SPF record | +20 |
| SPF multiple records / null value / lookup count > 10 | REHAB gate |
| SPF duplicate include / lookup budget near limit | REHAB gate |
| Shared M365 pool sold as "isolated" | +10 |
| No live website on the apex | +10 |
SPF ~all softfail | +8 |
| 1024-bit DKIM key (deprecated) | +5 |
| Low-trust TLD in cold-email context | +4 |
The estate score is a weighted average across all your domains and submitted sending IPs, where KILL assets pull harder than KEEP assets — one burning domain or IP should drag the estate, because to a mailbox provider it does.
The public score answers "how risky does this asset look?" Confidence answers "how complete is the public evidence?" A dirty IP can be high-confidence when RDAP, PTR, FCrDNS, and RBL probes all completed. A clean-looking domain can be medium-confidence if Lens cannot confirm the actual sending IPs or all DKIM selectors.
| Confidence band | When Lens uses it | How to improve it |
|---|---|---|
| High | The submitted asset returned complete public DNS/authentication/RDAP/RBL evidence for the check type. | Keep the result as a baseline and re-run after any infrastructure change. |
| Medium | Major signals completed, but one or more context signals are missing, such as RDAP, full DKIM selector inventory, or confirmed sending IP mapping. | Paste sending IPs, provide headers or ESP export, and run the full audit for selector and resolver rechecks. |
| Low | Lookups failed, RBL coverage is partial, or the asset cannot be safely tied to real outbound use from public data alone. | Retry, submit the full estate, and do not treat unresolved or inferred assets as clean. |
The in-page artifact is an external public-signal register. It exports the scanned evidence as CSV, a copyable client brief, a copyable fix plan, and a saved report link. The saved report stores only the public scan artifact in Folderly Lens report storage; it does not create an account, connect a mailbox, or claim private receiver data.
| Row status | Meaning | How to treat it |
|---|---|---|
scanned | The asset completed the free public scan and has a verdict, score, confidence band, drivers, and fix summary. | Use it as an executable public-signal register. |
unresolved | The lookup did not return enough signal for a safe verdict. | Retry or include it in the full manual audit; never call it clean. |
pending_full_audit | The asset was submitted but sits beyond the 10-asset free public scan cap. | It is not clean and not risky yet — it is unscanned inventory for the full register. |
-all, enforce DMARC, stand up a real site, clear any listing, or fix PTR/forward-confirmed rDNS — then resume sending. REHAB-URGENT is the same family with one blocking domain gap: no published DMARC policy, so DMARC must be fixed before any volume increase.Every signal is something a reseller, a vendor, or a mailbox provider cannot hide from you. A reseller can claim "isolated infrastructure" — the MX record shows whether it's true. A vendor can claim "fully authenticated" — the DMARC record shows whether it's enforced. Public records don't negotiate.
Because we read only public state, the verdict is fully reproducible. Run the scan from a coffee shop's wifi with zero credentials and you get the same answer. Re-run after remediation and the diff objectively measures whether your fixes worked.
Honesty about the limits is the point. Folderly Lens is a risk score, not a placement score — it measures the structural conditions under which deliverability failure becomes inevitable, not where your mail actually lands today.