Email Security Check
Check any domain's SPF, DKIM and DMARC records and get a clear grade for how well it's protected against spoofing — straight from public DNS.
Check a domain's email security
Enter a domain (e.g. example.com) to
audit its SPF, DKIM and DMARC setup.
Why email authentication matters
Email was never built with identity checks, so anyone can forge the “from” address on a message. SPF, DKIM and DMARC are the three DNS records that close that gap. Without them, attackers can impersonate your domain to send phishing and your legitimate mail is more likely to land in spam. With them configured correctly, receiving servers can verify that a message really came from you.
This tool reads those records over public DNS and grades the setup the way a receiving mail server would see it — so you can spot a missing record or a weak policy before it costs you deliverability or your reputation.
How to read your grade
The grade reflects how complete and strict your protection is. Here's how each record contributes.
| Record | Strong | Weak / missing |
|---|---|---|
| SPF | Present, ends with -all | Absent, or ~all/?all |
| DKIM | A signing key found on a selector | No common selector resolves |
| DMARC | p=reject or quarantine | Absent, or p=none |
How to use this tool
- 1. Type the domain you send mail from (not a full email address).
- 2. Press Check domain to query its public DNS records.
- 3. Read the grade, then expand each record to see the exact value.
- 4. Fix the weakest record first — usually a missing DMARC policy.
Frequently asked questions
What do SPF, DKIM and DMARC actually do? +
They are three DNS records that protect a domain from email spoofing. SPF lists which servers may send mail for you. DKIM signs each message so the recipient can verify it wasn't tampered with. DMARC ties the two together and tells receiving servers what to do with mail that fails — and where to send reports.
Why can't the test always find a DKIM record? +
DKIM keys live under a 'selector' name that only the domain owner chooses, and there's no way to list selectors over DNS. We probe the most common ones (google, selector1, default, and so on). A 'not found' here means none of the usual selectors matched — not necessarily that DKIM is missing.
What is a good DMARC policy? +
p=reject is the strongest: it tells receivers to drop mail that fails checks. p=quarantine sends it to spam. p=none only monitors and offers no protection — it's a starting point, not a finish line. Aim to move toward quarantine or reject once you've confirmed legitimate mail passes.
Does '-all' or '~all' matter in SPF? +
Yes. '-all' (hard fail) tells receivers to reject mail from servers not on your list. '~all' (soft fail) only marks it as suspicious. Hard fail is stronger, but only set it once you're sure every legitimate sender is included.
Where does this data come from? +
We query public DNS over HTTPS via Google's resolver, straight from your browser. We only read TXT records that are already public — nothing is stored.
Keeping mail — and the rest of your domain — secure
Tight SPF, DKIM and DMARC stop spoofing, but inbound threats still arrive by email every day. Endpoint antivirus with anti-phishing, plus a VPN for anyone checking mail on public Wi-Fi, rounds out the picture for a small team or a privacy-minded individual. Pair this audit with a look at how exposed your own browsing is.
Some links on this site are affiliate links — we may earn a commission, at no extra cost to you. It never changes our verdicts or what the test reports.