Skip to content
D1
EN

Email authentication

Email Auth Checker

Audit SPF, DMARC, and DKIM for a domain in one report with optional DKIM selectors and a pass score.

Leave blank to try common selectors, or list up to five comma-separated selectors from your mail provider.

Open dedicated tools: SPF, DMARC, DKIM

Recent checks

Your recent successful checks will appear here.

How to use this tool

  1. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  2. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  3. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  4. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  5. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  6. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

What the result shows

The result is split into the signals that matter for this specific check.

FieldPurposeExample
DomainSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Enter the apex domain that appears in the visible From header.
Query nameSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Confirm exactly one SPF, DMARC, and DKIM TXT record is published.
FoundSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Review parsed mechanisms, terminal all, and lookup count.
ValidSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Remove deprecated ptr and permissive +all when possible.
Terminal allSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Pair the result with DMARC and DKIM checks on the same domain.
MechanismsSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Re-run after DNS TTL once includes are verified.
DNS lookup countSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Enter the apex domain that appears in the visible From header.
Raw recordSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Confirm exactly one SPF, DMARC, and DKIM TXT record is published.

When this check helps

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

What to review when results look wrong

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple SPF, DMARC, and DKIM strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple SPF, DMARC, and DKIM strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple SPF, DMARC, and DKIM strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple SPF, DMARC, and DKIM strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple SPF, DMARC, and DKIM strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple SPF, DMARC, and DKIM strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

How to interpret the result

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with SPF, DMARC, and DKIM. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Recommended workflow

  1. Enter the apex domain that appears in the visible From header.
  2. Confirm exactly one SPF, DMARC, and DKIM TXT record is published.
  3. Review parsed mechanisms, terminal all, and lookup count.
  4. Remove deprecated ptr and permissive +all when possible.
  5. Pair the result with DMARC and DKIM checks on the same domain.
  6. Re-run after DNS TTL once includes are verified.

Tool vs manual checks

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Why use DN01

  • Live apex TXT lookup
  • Mechanism parsing and lookup estimate
  • Multiple-record and syntax errors
  • Warnings for ptr and permissive all
  • Pairs with DMARC and DKIM tools
  • Combined SPF, DMARC, and DKIM audit URL

FAQ

Email Auth Checker FAQ

Combined SPF, DMARC, and DKIM audit with optional selectors and a pass summary.

What does Email Auth Checker validate?

It runs SPF at the domain apex, DMARC at _dmarc.<domain>, and DKIM for each selector you provide, then summarizes how many layers pass. SPF, DKIM, and DMARC stack guide

Which DKIM selectors does DN01 try?

If you leave selectors blank, DN01 tries google, selector1, k1, s1, and default. Add your ESP or Microsoft 365 selector for accurate signing checks.

How is the pass score calculated?

The summary counts three layers: valid SPF TXT, valid DMARC policy, and at least one valid DKIM selector. Partial passes are common during migrations.

Should I fix SPF, DKIM, or DMARC first?

Fix SPF authorization and DKIM signing before tightening DMARC from p=none to quarantine or reject.

Can I share audit results with my team?

Result URLs include the domain and optional ?selectors= query so support teams can reopen the same audit.

How does this differ from the standalone tools?

This tool orchestrates the dedicated SPF, DMARC, and DKIM validators — use those pages when you need deep detail on one record.

Tool switcher

Pick the next step in your domain or security workflow.

Full tool catalog

Guides

Practical guides for common Email Auth Checker tasks — DNS records, troubleshooting steps, and links to our free tools.

Back to Email Auth Checker