Email Authentication Record Checker

Why SPF, DKIM, and DMARC Matter

SPF, DKIM, and DMARC are the three DNS-based standards that prove an email actually came from the domain on the From line. Without them, anyone on the internet can forge messages that appear to come from your domain — and inboxes know it. Major providers (Gmail, Yahoo, Microsoft) increasingly require all three before they will reliably deliver bulk or transactional mail. If your invoices are landing in spam, your sales sequences are bouncing, or your domain has been blocklisted, these three records are the first place to look. For background on how DNS itself works, see our walkthrough on how DNS works.

What Each Record Does

• SPF (Sender Policy Framework) publishes the list of mail servers authorized to send mail for your domain. It lives in a TXT record on the domain root and starts with v=spf1. Receiving servers compare the sending IP to that list and reject or quarantine anything that does not match.
• DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing message. The receiver fetches your public key from a TXT record at {selector}._domainkey.{domain} and verifies the signature. A valid DKIM signature proves the message has not been tampered with in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. A TXT record at _dmarc.{domain} tells receivers what to do when a message fails — accept, quarantine, or reject — and where to send aggregate failure reports so you can monitor abuse.

Finding Your DKIM Selector

DKIM is the trickiest of the three to look up because the selector is chosen by your email sending platform, not by a standard. Each platform uses its own naming convention. Google Workspace uses google. Microsoft 365 uses selector1 and selector2. Mailchimp uses k1, SendGrid uses s1, Mandrill uses mandrill, and many self-hosted servers default to default or mail. If you do not know yours, look at the DNS records your provider asked you to publish — the selector is the leftmost label in the hostname before _domainkey. You can also inspect the DKIM-Signature header in any message you have sent recently; the s= tag is your selector.

How To Read The Results

This tool queries the TXT records using DNS over HTTPS and surfaces what it finds verbatim. A valid SPF record begins with v=spf1 and ends with a qualifier such as -all (hard fail) or ~all (soft fail). A valid DMARC record begins with v=DMARC1 and includes a p= policy of none, quarantine, or reject. A valid DKIM record begins with v=DKIM1 and contains a public key in the p= tag. If a record is missing, the corresponding panel will tell you so — to build the missing SPF or DMARC record from guided options, use the SPF and DMARC record generator. For a deeper look at just SPF, including a running count against the 10-DNS-lookup limit, use the dedicated SPF record lookup. Pair this checker with our general DNS record checker when you want to inspect MX records, A records, or anything beyond the email-auth trio.

Related Tools & Resources

For more diagnostics, run a DNS Record Checker, or inspect just the TXT records, MX records, or SPF record on a domain. Build records from scratch with the SPF and DMARC record generator, and after publishing, confirm they have propagated with the DNS propagation checker. Check whether your sending IP appears on a DNS blacklist, look up reverse DNS for an IP, or read about every DNS record type. Browse the full networking tools hub for everything in one place.