Email Auth Checker
Check whether a domain's email is protected against spoofing. This tool fetches its SPF and DMARC records, probes common DKIM selectors, and flags problems with plain-English fixes. Records are fetched live over DNS-over-HTTPS — only the domain name is sent.
New to this? Read the email auth checker guide →
Custom DKIM selector (optional)
DKIM records live at selector._domainkey.domain, and the selector is not published in DNS — the tool probes common ones, but add yours if you know it.
Records are fetched over DNS-over-HTTPS (Cloudflare, Google fallback). Only the domain name is sent to the resolver — SPF, DKIM and DMARC records are public DNS data. Nothing is stored by this site.
How to use the email auth checker
- Enter the domain that sends your email (the part after the @) and press Check.
- The tool fetches the domain's SPF and DMARC records and probes common DKIM selectors, then flags problems and suggests fixes.
- Fix anything marked in red first — those are the settings that most affect whether your mail is trusted or spoofable.
SPF, DKIM and DMARC in one minute
SPF lists which servers may send mail for your domain. DKIM cryptographically signs each message so the recipient can verify it was not altered and really came from you. DMARC ties the two together: it tells receivers what to do when a message fails both checks (nothing, quarantine, or reject) and where to send reports. You want all three, with DMARC set to at least quarantine once you have confirmed legitimate mail passes.
Why it matters
Without these records, anyone can forge email from your domain, and mailbox providers are increasingly likely to spam-folder or reject your legitimate mail. Gmail and Yahoo now require SPF, DKIM and DMARC for bulk senders. Getting them right improves deliverability and stops your brand being used in phishing.
Frequently asked questions
What do SPF, DKIM and DMARC do?
SPF lists which servers may send mail for your domain, DKIM cryptographically signs each message so it cannot be altered or forged, and DMARC tells receivers what to do when a message fails both (nothing, quarantine or reject) and where to send reports. Together they stop others spoofing your domain and improve deliverability.
Why does DKIM show as not found when I have it set up?
DKIM records live at a provider-specific selector (selector._domainkey.domain) that is not discoverable from DNS. The tool probes common selectors and lets you enter your own — find yours in the s= tag of the DKIM-Signature header on a message you have sent. A "not found" result only means none of the probed selectors matched.
My DMARC is p=none — is that a problem?
p=none only monitors; it does not stop spoofing. Use it to collect reports for a few weeks, confirm your legitimate mail passes SPF or DKIM, then move to p=quarantine and finally p=reject. Staying at none indefinitely leaves your domain spoofable.
Is anything uploaded?
No. SPF, DKIM and DMARC records are public DNS data. Only the domain name is sent to the DNS-over-HTTPS resolver, and this site stores nothing.