SPF, DKIM & DMARC Checker

Check SPF, DKIM, and DMARC records for any domain. Verify email authentication, find misconfigurations, and improve email deliverability. Free online tool, no signup required.

Check Email Authentication

Enter a domain to look up its SPF, DKIM, and DMARC records. All lookups run in your browser via Google DNS-over-HTTPS.

Try:

Understanding Email Authentication: SPF, DKIM, and DMARC

What is SPF (Sender Policy Framework)?

SPF is a DNS-based email authentication protocol that lets domain owners specify which mail servers are allowed to send email on their behalf. It works by publishing a TXT record in DNS that lists authorized IP addresses, hostnames, and third-party senders. When a receiving mail server gets a message, it checks the sending server's IP against the domain's SPF record. If the IP is not listed, the message may be flagged as spam or rejected entirely.

An SPF record looks like this: v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -all. The v=spf1 prefix identifies it as an SPF record. The include: mechanism delegates authorization to another domain's SPF record. The ip4: mechanism authorizes a specific IP range. The -all at the end means "reject everything not explicitly listed" (hard fail), while ~all means "soft fail" (accept but mark suspicious).

What is DKIM (DomainKeys Identified Mail)?

DKIM adds a cryptographic signature to outgoing emails. The sending server signs each message with a private key, and the corresponding public key is published as a DNS TXT record under a selector subdomain (e.g., google._domainkey.example.com). The receiving server retrieves the public key from DNS and uses it to verify the signature. If the signature is valid, it confirms two things: the message was actually sent by the claimed domain, and the message body was not altered in transit.

DKIM selectors allow a domain to use multiple signing keys for different email services. For example, a company might use google as the selector for Google Workspace emails and k1 for Mailchimp campaigns. Each service generates its own key pair and publishes the public key under its chosen selector.

What is DMARC (Domain-based Message Authentication, Reporting, and Conformance)?

DMARC builds on SPF and DKIM by adding a policy layer and a reporting mechanism. A DMARC record tells receiving mail servers what to do when an email fails both SPF and DKIM checks. The three policy options are: none (monitor only, deliver normally), quarantine (send to spam), and reject (block entirely). DMARC also supports the pct= tag to apply the policy to only a percentage of failing messages, which is useful for gradual rollout.

One of DMARC's most valuable features is aggregate reporting. By including a rua= tag with an email address, domain owners receive daily XML reports from receiving mail servers showing which messages passed or failed authentication. This visibility is essential for identifying unauthorized senders and diagnosing configuration issues before moving to a strict policy.

Why Email Authentication Matters

Without SPF, DKIM, and DMARC, anyone can send email that appears to come from your domain. This makes phishing attacks trivial and damages your brand reputation. Email providers like Gmail, Outlook, and Yahoo now require proper authentication for bulk senders. Messages from domains without SPF and DKIM are far more likely to land in spam folders or be rejected outright. Google's 2024 sender requirements mandate SPF or DKIM for all senders and DMARC for those sending over 5,000 messages per day.

Beyond deliverability, email authentication protects your customers, employees, and partners from receiving spoofed messages that impersonate your organization. A strict DMARC policy (p=reject) is the strongest defense against domain spoofing.

How to Set Up SPF, DKIM, and DMARC

Start with SPF: create a TXT record at your domain's root that lists every service authorized to send on your behalf. Include your email provider (e.g., include:_spf.google.com for Google Workspace) and any marketing or transactional email services. End with -all or ~all.

Next, configure DKIM in each email service you use. Most providers generate the DKIM key pair for you and give you a DNS record to publish. Add the provided TXT record at the selector subdomain they specify.

Finally, add a DMARC record at _dmarc.yourdomain.com. Start with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com to begin collecting reports without affecting delivery. After reviewing reports for a few weeks and confirming legitimate senders pass authentication, gradually increase the policy to quarantine and then reject.

Related Tools