Email Security Checker
Analyze SPF, DKIM and DMARC for any domain — with clear fixes for what's wrong.
Free • no sign-up • results run live in your browser via public DNS resolvers.
SPF, DKIM and DMARC explained
These three DNS records work together to stop attackers from sending email that looks like it's from your domain:
- SPF lists which servers are allowed to send mail for your domain.
- DKIM adds a cryptographic signature so receivers can verify a message wasn't altered.
- DMARC ties SPF and DKIM together and tells receivers what to do with mail that fails (and where to send reports).
This tool reads all three from DNS, flags common problems — missing records, multiple SPF records, too many SPF DNS lookups, weak +all, or a permissive p=none DMARC policy — and tells you exactly how to fix each one.
Note on DKIM detection
DKIM keys are published under a selector (e.g. google._domainkey). We probe the most common selectors; if your provider uses a custom selector we may not detect it even though DKIM is configured.
Frequently asked questions
Start with SPF, then DKIM (via your email provider), then publish DMARC as p=none to collect reports. Once reports look clean, tighten DMARC to p=quarantine and then p=reject.
SPF allows a maximum of 10 DNS lookups when evaluating a record. Each include, a, mx, and similar mechanism counts. Exceeding 10 causes a PermError and SPF effectively fails — flatten or reduce your includes.
p=none only monitors — it doesn't block spoofed mail. It's the right starting point, but you should move to p=quarantine or p=reject once you've confirmed legitimate mail passes.