From 3ead49361db5c36bf39cc51dd93df01d246668b7 Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Thu, 28 May 2026 22:12:47 +0200
Subject: [PATCH] Updated FAQ

---
 FAQ.md     | 3 +++
 index.html | 1 +
 2 files changed, 4 insertions(+)

diff --git a/FAQ.md b/FAQ.md
index b2b814bb52..c8699ab0a5 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -3713,6 +3713,9 @@ you can enable native DKIM in the debug panel, which appears when you enable deb
 In this case, the shield will be green only when DKIM passes and the signer domain matches that of the sender (=alignment).
 Please be aware that this option will increase both data and battery usage.
 
+Note that a service like [mail tester](https://mail-tester.com/) basically performs the same checks as an email server can but not must do to populate the *Authentication-Results* header.
+This means that such a service can say 'all okay' while the app reports 'inconclusive' because the email server didn't perform the checks.
+
 FairEmail can show a warning flag too if the domain name of the (reply) email address of the sender does not define an MX record pointing to an email server.
 This can be enabled in the receive settings. Be aware that this will slow down synchronization of messages significantly.
 
diff --git a/index.html b/index.html
index beefe75076..1de879d42d 100644
--- a/index.html
+++ b/index.html
@@ -1991,6 +1991,7 @@ Y1 OK CAPABILITY completed</code></pre>
 <p>If you receive a lot of spam messages in your inbox, the best you can do is to contact the email provider to ask if spam filtering can be improved.</p>
 <p>Also, FairEmail can show a small red warning flag when DKIM, SPF or <a href="https://en.wikipedia.org/wiki/DMARC">DMARC</a> authentication failed on the receiving server. You can enable/disable <a href="https://en.wikipedia.org/wiki/Email_authentication">authentication verification</a> in the display settings. The feature depends on the header <a href="https://datatracker.ietf.org/doc/html/rfc7601">Authentication-Results</a>, which the receiving email server should add. The shield will be green only if DMARC passes (=alignment) and either <a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">SPF</a> or <a href="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">DKIM</a> passes.</p>
 <p>If the email server doesn’t add an <em>Authentication-Results</em> header, which is optional, you can enable native DKIM in the debug panel, which appears when you enable debug mode in the miscellaneous settings tab page (last option). In this case, the shield will be green only when DKIM passes and the signer domain matches that of the sender (=alignment). Please be aware that this option will increase both data and battery usage.</p>
+<p>Note that a service like <a href="https://mail-tester.com/">mail tester</a> basically performs the same checks as an email server can but not must do to populate the <em>Authentication-Results</em> header. This means that such a service can say ‘all okay’ while the app reports ‘inconclusive’ because the email server didn’t perform the checks.</p>
 <p>FairEmail can show a warning flag too if the domain name of the (reply) email address of the sender does not define an MX record pointing to an email server. This can be enabled in the receive settings. Be aware that this will slow down synchronization of messages significantly.</p>
 <p>If the domain name of the sender and the domain name of the reply address differ, the warning flag will be shown too because this is most often the case with phishing messages. If desired, this can be disabled in the receive settings (since version 1.1506).</p>
 <p>If legitimate messages are failing authentication, you should notify the sender because this will result in a high risk of messages ending up in the spam folder. Moreover, without proper authentication there is a risk the sender will be impersonated. The sender might use <a href="https://www.mail-tester.com/">this tool</a> to check authentication and other things.</p>