Email Auth Checker (SPF · DKIM · DMARC)
Check a domain's SPF, DKIM, and DMARC records and get a plain-English verdict on spoofing protection. Live DNS lookups on the edge — nothing stored.
published
- [FREE]
- [NO_SIGNUP]
- [USES_SERVER]
⚠ Unlike most of the site, this tool runs one request on a server because your browser cannot make it directly. It keeps none of your input — see the tool and the privacy page.
The SPF / DKIM / DMARC checker looks up a domain’s email-authentication records and tells you, in plain English, whether the domain is protected against spoofing.
Why this tool has a server
Email authentication lives in DNS TXT records, and a browser can’t issue DNS queries. So this tool reads them through Cloudflare’s edge DNS-over-HTTPS relay — the same one the DNS Lookup tool uses. The domain is queried and stored nowhere.
What it checks
| Record | Looked up at | Catches |
|---|---|---|
| SPF | TXT on the domain | missing record, multiple records (invalid), +all (wide open), no/?all |
| DMARC | TXT on _dmarc.<domain> | missing policy, p=none (monitor only), pct<100, no rua reports |
| DKIM | TXT on <selector>._domainkey.<domain> | no key for the tried selectors, revoked (empty) key |
It then gives an overall verdict — Protected / Partial / At risk.
On DKIM selectors
DKIM records sit under a selector (e.g. google, selector1). There’s no way to discover it from DNS, so the tool probes the common ones. If yours isn’t found, grab it from a signed email’s DKIM-Signature: s=… header and type it into the selector box.
Related tools
- DNS Lookup — query any record type for any domain.
- HTTP Header Checker — response headers + security grade.
- What’s My IP — your IP, network, and connection details.
Frequently asked questions
What do SPF, DKIM, and DMARC actually do?
They stop other people from sending email that looks like it came from your domain. SPF lists which servers may send for you. DKIM cryptographically signs your mail so receivers can verify it wasn't tampered with. DMARC ties the two together and tells receivers what to do when a message fails (nothing, quarantine, or reject) — and where to send reports. You want all three, with DMARC at p=quarantine or p=reject.
Why does this need a server?
It reads DNS TXT records (SPF at the domain, DMARC at _dmarc.<domain>, DKIM at <selector>._domainkey.<domain>), and a browser can't issue DNS queries. It reuses the same Cloudflare edge DNS-over-HTTPS relay as the DNS Lookup tool. The domain is queried and discarded — nothing is stored.
Why does DKIM say "not found" when I have it set up?
DKIM records live under a selector you choose (or your provider chose), e.g. google._domainkey.example.com. There's no way to discover the selector from DNS alone, so the tool probes common ones (google, selector1/2, k1, s1/2, default, dkim, mail). If yours isn't in that list, enter it in the DKIM selector box — find it in a signed email's headers under DKIM-Signature: s=.
What does the verdict mean?
"Protected" = SPF + DKIM + DMARC all present and DMARC enforces (quarantine/reject). "Partial" = something is weak, e.g. DMARC is p=none (monitor only) or SPF lacks a strict all. "At risk" = one of the three is missing, leaving the domain easier to spoof.
Is p=none bad?
It's a safe starting point — it monitors and sends reports without affecting delivery — but it provides no actual protection. Once your reports show legitimate mail is passing, move to p=quarantine and then p=reject.
Does this check whether a specific email passed authentication?
No — it checks the domain's published policy/records, not an individual message. To see why one email passed or failed, read its Authentication-Results header in the receiving mailbox.