Check email authentication records for any domain. Powered by Google Public DNS.
Enter a domain above to check spf record
Enter a domain above to check dmarc record
Enter a domain above to check dkim record
Enter a domain above to check mx records
DNS resolution via Google Public DNS
Email authentication is a set of protocols that verify the identity of email senders. When you send an email from your domain, receiving mail servers check your DNS records to confirm you are who you claim to be. The three main protocols are SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). Together, they form a layered defense against email spoofing, phishing, and impersonation attacks.
Without proper email authentication, anyone can send messages that appear to come from your domain. This damages your brand reputation, hurts deliverability, and puts your customers at risk. Major email providers like Google and Microsoft now require proper authentication for bulk senders.
SPF (Sender Policy Framework) is a DNS TXT record that lists all the servers and services authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify the sending server is permitted.
An SPF record starts with v=spf1 and contains mechanisms like include (for third-party services), ip4/ip6 (for specific servers), a (for your domain's A record), and mx (for your mail servers). The record ends with a policy qualifier: -all (hardfail, reject unauthorized), ~all (softfail, mark but deliver), or ?all (neutral, no policy). Hardfail (-all) provides the strongest protection because it tells receivers to reject emails from unauthorized sources.
DMARC builds on SPF and DKIM by adding a policy layer and reporting mechanism. Published as a DNS TXT record at _dmarc.yourdomain.com, it tells receiving servers what to do when an email fails authentication checks.
The key DMARC tags include p (policy: none, quarantine, or reject), rua (aggregate report destination), ruf (forensic report destination), pct (percentage of messages to apply policy to), and sp (subdomain policy). A policy of none is monitoring-only and does not protect against spoofing. Quarantine sends suspicious emails to spam, while reject blocks them entirely. Starting with p=none and reviewing reports before escalating to reject is a common best practice.
DKIM adds a cryptographic signature to outgoing emails. The sending server signs each message with a private key, and the corresponding public key is published as a DNS TXT record under a selector (e.g., selector._domainkey.yourdomain.com). Receiving servers use this public key to verify the signature, confirming the message was not altered in transit.
DKIM selectors vary by email provider. Google Workspace uses google._domainkey, Microsoft 365 uses selector1._domainkey and selector2._domainkey, and other services use their own naming conventions. This tool checks the default selector, but your actual DKIM record may use a provider-specific selector.
Email deliverability directly impacts your marketing ROI. If your domain lacks proper authentication, your campaigns are more likely to land in spam folders or be blocked entirely. Google and Yahoo now require SPF, DKIM, and DMARC for senders who send more than 5,000 messages per day.
Beyond deliverability, email authentication protects your brand. Phishing attacks that spoof your domain erode customer trust and can expose your organization to liability. A strong authentication setup with DMARC set to reject tells receiving servers to block all unauthorized emails, keeping your brand reputation intact and your customers safe from impersonation attacks.
This tool queries Google Public DNS to look up four types of records: SPF (TXT record on your domain), DMARC (TXT record at _dmarc.yourdomain.com), DKIM (TXT record at default._domainkey.yourdomain.com), and MX records. It parses each record, runs pass/fail checks, and calculates an overall email authentication score from 0 to 100.
This tool checks only the default DKIM selector (default._domainkey). Most email providers use custom selectors. Google Workspace uses google._domainkey, Microsoft 365 uses selector1._domainkey, and other services have their own naming. Your DKIM may be properly configured under a different selector name.
A score of 80 or above indicates strong email authentication. This typically means you have SPF with hardfail, DMARC with a quarantine or reject policy, reporting configured, and MX records in place. A score below 50 suggests significant gaps that could affect deliverability and leave your domain vulnerable to spoofing.
No. Start with p=none to monitor authentication results without affecting email delivery. Review the aggregate reports (rua) to identify all legitimate email sources and ensure they pass SPF and DKIM. Once you are confident all legitimate sources are authenticated, move to p=quarantine, and then to p=reject. Jumping straight to reject can cause legitimate emails to be blocked.
Yes, this tool is completely free. It uses Google's public DNS-over-HTTPS API, which requires no API key or authentication. All queries run directly from your browser to Google's DNS service. There are no usage limits imposed by this tool.
