Skip to main content
dnsverifier.com

SPF, DKIM, DMARC Checker

The dnsverifier.com SPF, DKIM, DMARC checkeraudits every layer of email authentication for a domain in one streaming pass: MX, SPF (with full include-tree expansion and the RFC 7208 ten-lookup limit), DKIM (per-selector key inspection — algorithm, bit length, syntax), DMARC, MTA-STS, TLS-RPT, BIMI, and optionally a live SMTP probe and DNSBL scan. Every issue includes a copy-paste DNS record fix.

Frequently asked questions

What is SPF and how do I check it?
SPF (Sender Policy Framework, RFC 7208) is a TXT record at your apex domain that lists which servers may send mail using your domain. Run the checker — it expands every include:, redirect=, and a/mx mechanism into a tree and verifies the total stays within the 10-lookup limit (exceeding it is a hard SPF failure).
What is DKIM and how is the key validated?
DKIM (DomainKeys Identified Mail) signs outgoing email with a private key; receivers fetch the public key from <selector>._domainkey.<domain> as a TXT record. The checker probes the 23 most common selectors plus any you list, parses the SubjectPublicKeyInfo, and reports algorithm (RSA or Ed25519) and bit length (1024 is weak, ≥2048 recommended).
What is DMARC and what does p=reject mean?
DMARC (RFC 7489) sits on top of SPF and DKIM and tells receivers what to do when a message fails alignment. p=none means 'monitor only', p=quarantine means 'spam folder', and p=reject means 'bounce the message'. Aim for p=reject after you've verified DMARC reports for two weeks.
How is dnsverifier.com different from MXToolbox?
Both audit MX, SPF, DKIM, DMARC. dnsverifier.com adds full SPF include-tree visualization, DKIM key-strength inspection, MTA-STS / TLS-RPT / BIMI checks, an optional live SMTP probe (banner, STARTTLS, cert), a DNSBL scan, and DNS-record fix snippets you can paste straight into Cloudflare / Route 53 / your registrar.
What is MTA-STS?
MTA-STS (RFC 8461) tells sending MTAs to require TLS when connecting to your MX hosts, preventing STARTTLS-stripping attacks. It is published as a TXT record at _mta-sts.<domain> pointing to a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.