SPF / DKIM / DMARC

Check email authentication records of a domain for secure email sending.

Enter a domain to start the check.

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are three email authentication protocols that protect your domain from spoofing, phishing, and spam. Together they form the foundation of email security for any domain.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that declares which mail servers are allowed to send email on behalf of your domain. If a server is not listed in the SPF record, emails it sends may be rejected or sent to spam.

Example SPF record:

v=spf1 include:_spf.google.com include:mailgun.org -all

The last parameter defines the policy: -all (strict, rejects unauthorized senders), ~all (softfail, marks as suspicious), +all (dangerous, allows everything).

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every email. The recipient verifies the signature using the public key published in DNS (a TXT record under the selector). If the signature cannot be verified, the email is considered tampered.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and defines what the recipient does when either check fails: p=none (monitor only), p=quarantine (spam folder), or p=reject (full rejection). It also enables reporting (RUA/RUF) for visibility.

How do I use this tool?

  1. Enter the domain (e.g. gmail.com) and click "Check".
  2. See whether SPF, DKIM, and DMARC exist and what policy they enforce.
  3. Red badges indicate missing or weak configuration — a significant email deliverability problem.

Frequently Asked Questions

My emails are going to spam — what should I check first?
Start with SPF and DMARC. If they are missing or use ~all / p=none, recipients cannot verify that you are the legitimate sender. Add or tighten those records.
Do I need DKIM if I already have SPF?
Yes. SPF validates the sending server, but DKIM authenticates the message itself. For DMARC to work correctly, you need alignment on at least one of the two. Ideally both.
What is a "DKIM selector"?
Each DKIM key is published under a specific selector (e.g. google, mail). The tool automatically tests the most common selectors to locate your DKIM records.
How long does it take for DNS records to propagate?
DNS records have a TTL (time to live) that determines how quickly they propagate. Usually 5–30 minutes, but it can take up to 48 hours with older configurations.
📖 Read the full guide: How to Set Up SPF, DKIM and DMARC →
Mail Headers Analyzer
Email headers & hop delays
Blacklist Checker
Check against 20+ blacklists
Webmail
Quick Webmail access
Domain Audit
DNS, WHOIS, SSL, SPF/DMARC, blacklist & screenshot