Email Auth Checker (SPF/DKIM/DMARC)

Looks up a domain's SPF, DMARC and DKIM records to check its anti-spoofing setup.

What this email authentication checker does

Spoofing a "From" address is trivial unless a domain publishes the three DNS records that prove which servers may send its mail. This tool looks up SPF, DMARC and DKIM for a domain and shows whether each is configured.

SPF (v=spf1 … TXT at the domain) lists the IPs and includes allowed to send.
DMARC (v=DMARC1; p=… TXT at _dmarc.<domain>) tells receivers what to do with mail that fails — none, quarantine or reject — and where to send reports.
DKIM (a public key TXT at <selector>._domainkey.<domain>) lets receivers verify a cryptographic signature on each message.

About DKIM selectors

DKIM is published under a selector that only the sender knows, so there is no way to enumerate it from DNS. Leave the selector blank to try common ones (default, google, selector1…), or type the exact selector your mail provider uses. Related: SPF, DKIM and DMARC explained.

Frequently asked questions

I have SPF but the checker says DKIM is missing — is that a problem?

DMARC needs at least one of SPF or DKIM to pass with alignment. DKIM is more robust because it survives forwarding. If your provider uses an uncommon selector, enter it explicitly so the tool can find the record.

What DMARC policy should I use?

Start with p=none to collect reports without affecting delivery, confirm your legitimate sources pass, then move to p=quarantine and finally p=reject for full protection against spoofing.

Why can't the tool find DKIM automatically?

DKIM records live under a selector name chosen by the sender (e.g. s1, k1, google). DNS does not allow listing all subrecords, so the tool can only guess common selectors unless you supply the right one.