โ† All tools

SPF / DKIM / DMARC Checker

Enter a domain to check all three email authentication records at once. See what's configured, what's missing, and how to fix it.

What Are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are three DNS-based email authentication protocols that prove your emails are legitimate. Without them, inbox providers like Gmail and Outlook have no way to verify that an email claiming to be from your domain was actually sent by you โ€” and they'll treat it as suspicious.

  • SPF (Sender Policy Framework) โ€” a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. If an email comes from a server not in your SPF record, it fails authentication.
  • DKIM (DomainKeys Identified Mail) โ€” adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key in your DNS to verify the message wasn't tampered with in transit.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) โ€” tells inbox providers what to do when an email fails SPF or DKIM checks: accept it, quarantine it, or reject it outright. It also enables reporting so you can monitor authentication failures.

Why Email Authentication Matters for Cold Email

If you're sending cold emails without proper SPF, DKIM, and DMARC records, you're almost certainly landing in spam. Google and Microsoft now require all three for bulk senders, and even low-volume senders see significantly better inbox placement when all records are properly configured.

Beyond deliverability, these records protect your domain from being spoofed. Without DMARC enforcement, anyone can send emails pretending to be from your domain โ€” damaging your reputation and potentially getting your domain blacklisted.

How This Tool Works

Enter any domain and this tool performs real-time DNS lookups to check all three records:

  • Looks for a TXT record starting with v=spf1 on your root domain
  • Checks common DKIM selectors (google, default, selector1, selector2, and others) for a valid DKIM public key
  • Queries _dmarc.yourdomain.com for a DMARC policy record

You get an overall grade (A through F) based on how many records are properly configured, plus specific details about what each record contains and what might need fixing.

Common Issues This Tool Detects

  • Missing SPF record entirely โ€” emails will fail authentication at most providers
  • SPF record with too many DNS lookups (limit is 10)
  • DMARC policy set to "none" โ€” monitoring only, not enforcing
  • Missing DKIM record โ€” emails can't be cryptographically verified
  • Multiple SPF records on the same domain (invalid per RFC)

Who Should Use This Tool?

Anyone sending email from a custom domain should check their authentication records regularly. This is especially critical for cold email senders, email marketers, SaaS companies, and agencies managing multiple client domains. Run this check after any DNS change, new email provider setup, or if you notice a sudden drop in deliverability.

Related articles

Cold Email Deliverability GuideWhy Your Cold Emails Land in SpamHow to Warm Up a New Cold Email Domain

Cleanmails auto-configures SPF, DKIM, and DMARC during installation.

Cleanmails โ€” self-hosted, unlimited everything, $497 one-time.

Get Cleanmails
More free tools
๐Ÿ›ก๏ธSpam Checkerโœ…Email Verifier๐Ÿ“งEmail Extractor๐ŸงนCSV Cleaner