Back to Tools

SPF, DKIM & DMARC Checker

Check SPF, DKIM, and DMARC records for authentication, alignment, spoofing protection, and deliverability.

Enter a domain name to check its email authentication configuration

Email authentication for SPF, DKIM, and DMARC

Use this checker to review the DNS records that protect a domain from email spoofing and support reliable deliverability. It is useful when mail lands in spam, SPF returns permerror, DKIM is missing, or DMARC alignment is unclear.

When to use this tool

  • Check SPF, DKIM, and DMARC before sending from a new domain.
  • Troubleshoot mail landing in spam or failing authentication.
  • Verify spoofing protection after DNS or mail-provider changes.
  • Confirm whether DMARC alignment is possible for your setup.

How to read the results

  • SPF should exist once and include all authorized senders.
  • DKIM should publish a valid selector key for your mail platform.
  • DMARC should define policy, reporting, and alignment behavior.
  • Warnings usually point to DNS syntax, missing records, or weak policy.

Common email authentication problems

SPF permerror: often caused by multiple SPF records, too many DNS lookups, or invalid SPF syntax.
Missing DKIM: outbound messages are not signed, or the DKIM selector record is not published in DNS.
Invalid DMARC policy: policy is missing, malformed, or too weak for spoofing protection.
Mail in spam: check SPF/DKIM/DMARC plus IP reputation with the blacklist checker.

Related tools

SMTP TesterBlacklist CheckerDNS LookupDNS Propagation

SPF is a DNS TXT record that lists which mail servers are allowed to send email for a domain. A broken SPF record can cause delivery failures or SPF permerror results.

DKIM adds a cryptographic signature to outgoing mail. The receiving server checks the public DKIM key in DNS to confirm that the message was not modified.

DMARC tells receivers what to do when SPF or DKIM checks fail and whether the message aligns with the visible From domain.

Common causes include missing DKIM, invalid SPF, weak or missing DMARC policy, poor IP reputation, blacklist listings, or messages that fail domain alignment.

Yes. A domain should publish one SPF TXT record. Multiple SPF records can trigger SPF permerror and make receivers treat mail as unauthenticated.

DMARC alignment checks whether the domain authenticated by SPF or DKIM matches, or aligns with, the domain shown in the From header.