Email Authentication Checker

Verify SPF, DMARC, and DKIM records to ensure email deliverability and prevent domain spoofing.

spf-check.sh

SPF Record

Domain

dmarc-check.sh

DMARC Record

Domain

dkim-check.sh

DKIM Record

DKIM Selector

Domain

Common selectors:

Check all three at once

Enter your domain and run SPF, DMARC, and DKIM checks simultaneously

Understanding Email Authentication

SPF, DKIM, and DMARC are three complementary DNS-based email authentication standards that work together to prevent email spoofing and improve deliverability.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email for your domain. It is a TXT record at your root domain. Example: v=spf1 include:_spf.google.com ~all. If an unauthorized server sends email claiming to be from your domain, receiving servers can reject it.

DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication: nothing (p=none), quarantine to spam (p=quarantine), or reject entirely (p=reject). It also provides reporting. The DMARC record is a TXT record at _dmarc.yourdomain.com.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. Receiving servers verify the signature against your public key published in DNS. The DKIM TXT record is at selector._domainkey.yourdomain.com. The selector is chosen by your email provider (e.g., "google" for Google Workspace).

Frequently Asked Questions

Missing or misconfigured SPF, DKIM, and DMARC records are a common reason emails land in spam. Check all three using the tools above. Also verify that your sending IP has a valid reverse DNS (PTR) record. Other factors include sending reputation, content, and engagement rates.

Start with p=none (monitor only) to receive reports without affecting email flow. Once you're confident your SPF and DKIM are correct, move to p=quarantine (suspicious emails go to spam), then p=reject (unauthorized emails are rejected entirely). p=reject provides the strongest protection against domain spoofing.

The DKIM selector is set by your email provider. Common selectors: Google Workspace uses "google"; Microsoft 365 uses "selector1" and "selector2"; Mailchimp uses "k1"; SendGrid uses "s1" or "s2". Check your email provider's documentation for the correct selector.