SPF / DKIM / DMARC Checker
Check email authentication DNS records for a domain. Validate SPF policy, DKIM selector records, DMARC enforcement, reporting tags, and common misconfigurations.
About SPF, DKIM, and DMARC
SPF, DKIM, and DMARC work together to help receiving mail servers decide whether a message claiming to come from your domain is legitimate. Strong authentication reduces spoofing, phishing, and delivery problems caused by missing or conflicting DNS records.
This checker reads public TXT records and explains the parts that matter most: the SPF sender policy, the DKIM public key for a selector, and the DMARC policy receivers should apply when authentication fails.
DKIM selectors
DKIM keys are stored under selector-specific names such as default._domainkey.example.com. If you do not know the selector, check your email provider documentation or inspect a recent message header for the s= value in the DKIM-Signature header.
What The Checker Reviews
SPF
- Confirms that exactly one SPF TXT record exists.
- Flags permissive policies such as +all and neutral ?all.
- Estimates DNS lookup mechanisms against the SPF limit of 10.
DKIM
- Looks up selector._domainkey records.
- Parses key tags including v, k, p, h, s, and t.
- Flags missing, empty, revoked, or likely weak RSA keys.
DMARC
- Checks _dmarc policy records and parsed tags.
- Highlights p=none, quarantine, and reject enforcement.
- Reviews reporting, alignment, and percentage rollout settings.
Common Fixes
Publish only one SPF record
Multiple SPF TXT records cause permanent SPF errors. Merge all approved senders into one v=spf1 record and keep the DNS lookup count under 10.
Move DMARC beyond monitoring when ready
p=none is useful for collecting reports, but it does not instruct receivers to quarantine or reject failing mail. Move gradually with pct= and reports when your SPF and DKIM alignment is clean.
Rotate DKIM keys carefully
Add the new selector, update your mail service to sign with it, wait for DNS and mail flow to settle, then remove or revoke old keys after they are no longer used.