Free Email Authentication Checker

Audit SPF, DKIM, DMARC, MTA-STS, and BIMI for any domain in seconds. Find spoofing risks, weak policies, and deliverability issues — graded A+ to F.

Who uses this tool?

Email administrators — verify SPF/DKIM/DMARC are correctly published before going live
Security analysts — find domains vulnerable to spoofing and brand impersonation
Deliverability specialists — diagnose why mail from your domain lands in spam
Compliance auditors — document email-authentication posture for SOC 2, ISO 27001
Marketers — confirm DMARC is at quarantine or reject before launching big campaigns

Without SPF, DKIM, and DMARC, anyone can email the world as you

Email authentication is the single most overlooked vector in brand protection. SMTP, the protocol behind every email ever sent, has no built-in identity check — by default, any server on the internet can put From: ceo@your-company.com in a message header and most mailboxes will deliver it. SPF, DKIM, and DMARC are the three DNS records that close that hole. Without them deployed correctly, you are one well-crafted phishing campaign away from a wire-fraud incident, a stolen-credentials breach, or a regulatory complaint from a customer who got tricked by someone pretending to be your support team.

On top of the security upside, modern mailbox providers now require authenticated mail to land in the inbox. Since February 2024, Gmail and Yahoo reject unauthenticated bulk senders outright. This tool audits all three records plus MTA-STS and BIMI in under 200ms.

What SPF, DKIM, and DMARC each do

SPF — Sender Policy Framework

A single TXT record on your apex domain that lists every IP range and hostname authorised to send mail for you: v=spf1 include:_spf.google.com include:mailgun.org -all. Receivers check the connecting SMTP server IP against this list. The -all at the end is the policy enforcement flag — hard fail (reject), ~all soft fail (mark as spam), ?all neutral, +all the dangerous "allow anyone" setting we occasionally find in production.

SPF biggest pitfall is the 10 DNS lookup limit. Each include: burns a lookup, as does each a, mx, or redirect. Chains of nested includes routinely exceed 10 and cause permerror, which makes every receiver treat the message as if SPF did not exist.

DKIM — DomainKeys Identified Mail

Cryptographic signing of each outbound message. Your mail server signs every email with a private key; the public key lives at selector._domainkey.yourdomain.com as a TXT record. Receivers fetch the public key, verify the signature against the message body, and confirm the message was not altered in transit and originated from a server holding your private key.

DKIM only quirk is the selector. You can have many selectors active simultaneously — useful when rotating keys or running multiple ESPs. Common selectors: google, k1, selector1, mandrill, mailgun, sendgrid. This tool probes 19 of the most common; if yours uses a custom name like corp-2024, the check will say "not found" even when DKIM is correctly configured.

DMARC — Domain-based Message Authentication, Reporting & Conformance

The policy layer that ties SPF and DKIM together. A TXT record at _dmarc.yourdomain.com tells receivers what to do when a message fails both SPF and DKIM checks: p=none means "just send me a report", p=quarantine means "put it in spam", p=reject means "drop it entirely". The rua=mailto:reports@ tag points to where aggregate XML reports get sent — read these to see who is sending mail as you, both legitimately and otherwise.

Most domains follow the same ramp: start at p=none; pct=100 to gather data, fix any legitimate senders flagged in your reports, graduate to p=quarantine; pct=10, ramp pct to 100 over a month, then move to p=reject. The whole journey takes 6-12 weeks for a typical organisation.

MTA-STS, BIMI, and what comes after DMARC

MTA-STS — Strict Transport Security for SMTP

Forces incoming mail servers to use TLS when delivering to you. Without MTA-STS, an attacker on the path can downgrade SMTP from TLS to plaintext and read every email destined for your domain. Deployment is two records: a TXT at _mta-sts.yourdomain.com with the policy version, and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt listing the allowed mail servers. Almost no one deploys it; doing so is a free security upgrade.

BIMI — Brand Indicators for Message Identification

Shows your verified logo next to authenticated mail in Gmail, Yahoo Mail, and Apple Mail. Requires p=quarantine or p=reject DMARC plus a Verified Mark Certificate from Entrust or DigiCert (around $1,500/year). Worth it for consumer brands where the logo measurably lifts open rates; overkill for internal-only or B2B-only domains.

What "fully authenticated" actually looks like

One SPF record, ending in -all or ~all, with under 10 DNS lookups in the resolution tree.
DKIM keys for every sending source: your own mail server, every ESP (SendGrid, Mailgun, Postmark), every SaaS tool that sends on your behalf (CRM, ticketing, billing).
DMARC at p=reject with rua and ideally ruf reporting endpoints, plus sp=reject to cover subdomains.
No From: domain mismatches — every legitimate sender aligns either SPF envelope-from or DKIM d= tag with the visible From: domain.
MTA-STS deployed if you receive sensitive mail. Optional but cheap defence-in-depth.
DMARC reports are being read — either by a human weekly or via a service like Postmark free DMARC monitor or DMARCian.

How to use (step-by-step)

Step 1 — Enter the domain: Type a bare domain — root TXT records are checked plus _dmarc, _mta-sts, and default._bimi subdomains.
Step 2 — Click Check: All lookups run in parallel via Cloudflare DNS-over-HTTPS — typically returns in under 200ms.
Step 3 — Review the grade: A+ to F grade based on SPF, DMARC, DKIM, MTA-STS, BIMI presence and policy strength.

Frequently asked questions

Why do SPF, DKIM, and DMARC matter?

They are the three pillars of email authentication. SPF says which servers may send mail for your domain. DKIM cryptographically signs each message. DMARC tells receivers what to do (none / quarantine / reject) when SPF or DKIM fails. Without all three, anyone can spoof your domain.

What is a DKIM selector?

A short label (like google, k1, selector1) that picks one of many possible DKIM keys for a domain. The full DNS lookup is selector._domainkey.domain.com. Selectors are domain-specific — this tool checks ~20 of the most common ones; if yours uses a custom selector it may show as missing even though DKIM works.

What is a "good" DMARC policy?

p=reject is the strongest — receivers drop unauthenticated mail. p=quarantine sends it to spam. p=none is monitor-only and is essentially "warn me but accept everything", which spoofers still pass right through. Most domains start at none, then graduate to quarantine, then reject as confidence grows.

What are MTA-STS and BIMI?

MTA-STS forces incoming mail servers to use TLS — protects against man-in-the-middle attacks during SMTP delivery. BIMI shows your verified logo in Gmail/Yahoo Mail when SPF, DKIM, and DMARC all pass, plus a Verified Mark Certificate. Both are bonus signals, not required.

Related free tools

DNS Lookup — A, MX, TXT, NS, CAA records
WHOIS Lookup — Registrar, age, nameservers
SSL Certificate Checker — Certificate expiry and grade
HTTP Headers Checker — Security score and CDN
All Free Domain Tools — Complete toolkit for domain research

Try it on popular domains: github.com, google.com, cloudflare.com, openai.com.