Check Domain Email Authentication
Popular domains:
Querying DNS records...
Problem: Emails Going to Spam?
When your emails land in spam folders or get rejected, it's usually because your domain's email authentication is not set up correctly. SPF, DKIM, and DMARC are DNS records that tell receiving mail servers whether your email is legitimate. AI chatbots cannot check real DNS records — they can only describe what authentication looks like in theory, not what your domain actually has configured.
How This Tool Solves It
- Real-time DNS queries — We query Cloudflare's DNS-over-HTTPS to read your actual SPF, DKIM, DMARC, and MX records live.
- Combined report — Instead of checking each record separately, you get one comprehensive email health report.
- Actionable warnings — We flag missing records, dangerous configurations (+all), excessive lookups, and policy issues.
- DKIM selector auto-detection — We check multiple common selectors to find your DKIM key.
- 100% private — No data is stored, logged, or tracked. We never record which domains you check.
What Each Record Does
What is SPF?
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. It starts with v=spf1 and includes mechanisms like include, ip4, mx, and a. The -all or ~all at the end tells receivers what to do with unauthorized mail. Without SPF, anyone can forge emails from your domain (spoofing).
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails. The signature is verified using a public key published as a DNS TXT record at <selector>._domainkey.yourdomain.com. If the signature matches, the email hasn't been tampered with. Each email service (Google, Microsoft, SendGrid, etc.) uses its own selector — that's why we check multiple common selectors.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM fail. Published at _dmarc.yourdomain.com, it specifies a policy: p=none (monitor only), p=quarantine (send to spam), or p=reject (block outright). Google and Microsoft now require DMARC for bulk senders sending 5,000+ messages/day.
What do MX records tell me?
MX (Mail Exchange) records specify the mail servers that accept incoming email for your domain. They reveal who handles your email (Google Workspace, Microsoft 365, etc.) and the priority order of mail servers. Missing MX records mean your domain cannot receive email at all.
What does a "pass" result mean?
For SPF: the record exists, has valid syntax, doesn't exceed the 10-lookup limit, and doesn't use the dangerous +all mechanism. For DKIM: a valid public key was found. For DMARC: a record exists with a policy of p=quarantine or p=reject (not p=none). Passing all three means your domain has strong email authentication — you're protected from spoofing and your emails are more likely to reach the inbox.
Why are my emails still going to spam if authentication passes?
Email deliverability depends on more than authentication. Common factors include: high bounce rates, spam complaint rates above 0.1%, poor sender reputation, low engagement (recipients never open your mail), shared IP reputation, and content that triggers spam filters. Authentication is necessary but not sufficient — you also need good sending practices.
Is this tool free and private?
Yes, 100% free with no signup required. DNS queries are processed server-side via Cloudflare's DNS-over-HTTPS and results are returned as JSON. We do not store, log, or track any domains you check.
Why AI Cannot Replace This Tool
AI chatbots (ChatGPT, Claude, Gemini) cannot:
- Query live DNS records to read your actual SPF, DKIM, or DMARC configuration
- Detect whether a specific domain has email authentication set up right now
- Verify the syntax of your SPF record or count DNS lookups
- Find your DKIM key by trying multiple selectors
- Check if your DMARC policy is
p=none(no protection) orp=reject(full protection)
This tool does all of this by making real DNS-over-HTTPS queries to Cloudflare and parsing every record in detail.
Comments & Ratings