Free DMARC, SPF
and DKIM checker
Most domains 'have DMARC' but with p=none — meaning they monitor but don't actually block phishing. We check the full email-auth stack: SPF syntax and lookup limits, DKIM key strength, DMARC policy strength, and DMARC alignment with SPF/DKIM. Find out why your domain is being spoofed.
Free tool · No signup · No credit card · Results in 60 seconds
Why email auth is the #1 phishing defense
Without DMARC, anyone can send email FROM your domain to anyone. Mail servers will accept it. Users see your name in the From header. Your support inbox gets the angry reply. With DMARC at p=reject, that same forged email is dropped at the recipient's mail server — silently, before anyone sees it. The vast majority of brand-impersonation phishing is enabled by missing or weak DMARC. Yet most domains still ship p=none ('monitor only') years after deployment, because moving to p=quarantine or p=reject feels scary. Our checker tells you exactly what's stopping you.
of domains have a DMARC record but only ~15% are at p=quarantine or p=reject — the rest are 'monitor only'.
max DNS lookups in an SPF record before it's marked PermError. Common cause of silent SPF failure.
to validate SPF, all DKIM selectors we can find, and DMARC policy with full alignment check.
What our DMARC checker tests
9 deep checks across the SPF/DKIM/DMARC trio — not just 'is the record present'.
SPF record presence and syntax
Looks up the v=spf1 TXT record on your apex domain, validates syntax (proper mechanisms, terminator). A missing or syntactically broken SPF means receiving servers can't verify your sending IPs.
highSPF DNS lookup limit (≤10)
Each include:, a:, mx:, exists:, redirect= counts as a lookup. Over 10 = PermError = your SPF silently fails for all receivers. We resolve the full chain and count.
highSPF terminator (-all vs ~all vs ?all)
+all is dangerous (allows any sender), ?all is neutral (no policy), ~all is soft-fail, -all is hard-fail. We grade based on how strongly your policy actually rejects forgeries.
mediumDKIM selector discovery and key strength
We probe ~30 common selectors (default, google, mailchimp, sendgrid, mandrill, etc) and validate each found key. RSA <1024 bits = critical fail. We also flag deprecated 'k=rsa' without explicit hash algorithm.
highDKIM key publication & DNS health
Validates the TXT record format, parses the p= public key, checks for accidental whitespace/newline corruption (very common cause of silent DKIM failure).
highDMARC record presence at _dmarc subdomain
Looks up _dmarc.yourdomain.com TXT. Missing = receivers fall back to 'no policy' = anyone can spoof you.
criticalDMARC policy strength (p=)
p=none monitors only, p=quarantine sends suspicious mail to spam, p=reject blocks it. We grade A (reject), B (quarantine), C (none with rua), F (none without rua).
highDMARC alignment mode (aspf= and adkim=)
Strict (s) requires exact domain match, relaxed (r) allows subdomain. Default is relaxed. We flag mismatches between your aspf/adkim and how you actually send mail.
mediumDMARC reporting addresses (rua= and ruf=)
Without rua/ruf, you have no visibility into which servers are sending mail with your domain. We verify the addresses are valid and (where possible) accept reports from external domains.
mediumHow the email-auth checker works
We do live DNS resolution against three records: yourdomain.com (for SPF), _dmarc.yourdomain.com (for DMARC), and a list of common DKIM selectors at selector._domainkey.yourdomain.com. We use authoritative DNS where possible to avoid stale resolver cache issues.
For SPF, we follow every include:, a:, mx:, exists:, redirect= and ptr: directive recursively, building the full lookup graph. If we hit 10 lookups before processing all directives, we report PermError — that's exactly how receiving mail servers will treat it. Common cause: chaining 'include:_spf.google.com include:mailgun.org include:sendgrid.net include:mailchimp.com' without realizing each adds 2-4 sub-lookups.
For DKIM, since selectors aren't predictable, we probe a curated list of the 30 most common selector names from major ESPs (Google, Mailgun, Sendgrid, Mandrill, Mailchimp, Amazon SES, Postmark, etc). If you use a custom selector we don't try, you can pass it via the URL — the full audit accepts a list of known selectors.
For DMARC, we parse the policy tag-by-tag and apply Google's recommended grading rubric — same one used by Google Postmaster Tools and Microsoft SNDS. We don't just say 'has DMARC' — we say what stage of deployment maturity you're at and what specifically blocks the next step.
Frequently asked questions
I have DMARC but I'm still getting impersonated. Why?+
Most likely your policy is p=none — that means 'monitor and report' but doesn't actually block. Check your policy tag. If it's already p=quarantine or p=reject, double-check alignment: phishers may be spoofing a subdomain you haven't covered with the sp= subdomain policy.
Is going from p=none to p=reject really that risky?+
It's only risky if you have legitimate mail flows that aren't authenticated yet — a forgotten marketing tool, a CRM that sends from your domain without DKIM signing, a 3rd-party invoicing service. Move in stages: stay at p=none with rua= reporting for 2-4 weeks, fix every legitimate sender shown in reports, then move to p=quarantine pct=25, then 50, 100, then p=reject. Tools like dmarcian, Postmark and Cloudflare Email Routing automate this.
Do I need DKIM if I have SPF and DMARC?+
Strongly recommended. SPF only authenticates the IP sending the mail, not the message itself. DKIM signs the message body and headers — required if you forward mail through mailing lists or use 'send as' from another domain. DMARC requires either SPF OR DKIM to pass for the alignment check, but DKIM is more resilient.
What's the SPF +all vs -all difference?+
+all says 'any IP is authorized' (defeats the purpose), -all says 'only the IPs in this record are authorized — reject all others'. ~all is soft-fail (mark as suspicious, don't reject). Use -all once you're confident in your record. Use ~all during initial deployment.
How often should I check DMARC?+
Set up DMARC RUA reports — they'll mail you weekly aggregate XML reports of every server sending mail with your domain. You'll catch new legitimate senders (a marketing tool, a new department's CRM) before they hit your reject policy. Run our checker after any major change to your mail routing.
Can I check Microsoft 365 / Google Workspace tenants?+
Yes — we check the public DNS records, which work the same regardless of provider. Both M365 and Workspace have built-in DKIM key rotation. Verify your custom domain DKIM is enabled (it's off by default for Workspace until you turn it on in Admin > Apps > Google Workspace > Gmail > Authenticate email).
What does BIMI have to do with DMARC?+
BIMI (Brand Indicators for Message Identification) lets you display your logo next to authenticated mail in supporting clients (Gmail, Yahoo, Apple Mail). Requirement: DMARC at p=quarantine or p=reject and a VMC (Verified Mark Certificate). The full audit checks BIMI eligibility too.