Email Authentication Checker
Validate SPF, DKIM and DMARC records to ensure your domain's email is properly authenticated.
v=spf1 include:_spf.yourprovider.com -all
-all (hard fail) or ~all (soft fail) to properly restrict who can send email as your domain.
[selector]._domainkey.yourdomain.com.
_dmarc.yourdomain.com. Start with monitoring:v=DMARC1; p=none; rua=mailto:[email protected]
p=quarantine or p=reject.
Need help with email authentication?
Get professional email hosting with WebDNS.uk — we configure SPF, DKIM & DMARC for you.
Get StartedLearn More About Email Authentication
What is Email Authentication?
Email authentication is a set of three complementary protocols — SPF, DKIM, and DMARC — that work together to verify that an email genuinely came from the domain it claims to be from. Think of them as a chain of trust: SPF verifies who is allowed to send, DKIM verifies the message has not been tampered with, and DMARC ties them together with a policy that tells receivers what to do when checks fail.
Without these protocols, anyone can forge the From address on an email, making it appear to come from your domain. This is called email spoofing, and it is the foundation of most phishing attacks. Email authentication prevents this by giving receiving mail servers a way to verify legitimacy.
SPF Explained
Sender Policy Framework (SPF) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks the SPF record to see if the sending server IP address is on the approved list.
SPF records use several mechanisms to define allowed senders:
include:— References another domain's SPF record. Used for third-party services like Google Workspace or Microsoft 365.ip4:/ip6:— Explicitly allows specific IP addresses or ranges.a/mx— Allows the domain's own A record IPs or MX server IPs to send.-all(hard fail) — Reject email from any server not listed. The strictest and most secure option.~all(soft fail) — Accept but mark as suspicious. Useful during initial setup or testing.
A common pitfall is exceeding the 10 DNS lookup limit. Each include, a, mx, and redirect mechanism counts as a lookup, and nested includes count too. Exceeding 10 lookups causes SPF to fail entirely, which can break email delivery.
DKIM Explained
DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every outgoing email. The sending server signs the message headers and body with a private key, then the receiving server uses a public key published in DNS to verify the signature. If the email was altered in transit, the signature will not match and the message fails DKIM verification.
DKIM records are published as TXT records at [selector]._domainkey.yourdomain.com. The selector is a label chosen by your email provider (e.g. google, default, s1) that allows multiple DKIM keys to coexist for the same domain. This is useful when transitioning between providers or when multiple services send email on your behalf.
Our tool checks a comprehensive list of common selectors used by major email providers. If your selector is not found, it does not necessarily mean DKIM is not configured — your provider may use a custom selector that we did not test.
DMARC Explained
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a DNS TXT record published at _dmarc.yourdomain.com. It serves two critical functions: it tells receiving servers what to do when SPF or DKIM checks fail, and it provides a mechanism for receiving servers to send reports back to you about authentication results.
DMARC has three policy levels:
p=none— Monitor only. Email is delivered normally regardless of authentication results. Use this to collect reports before enforcing a stricter policy.p=quarantine— Suspicious email is sent to the spam or junk folder. A good intermediate step.p=reject— Unauthorised email is rejected outright. The strongest protection against spoofing.
The rua tag specifies where aggregate reports are sent (daily XML summaries of authentication results), while ruf is for forensic reports (individual failure notifications). DMARC also checks alignment — whether the domain in the From header matches the domain that passed SPF or DKIM.
Why This Matters
Since 2024, major email providers including Gmail, Yahoo, and Microsoft require bulk senders to have SPF, DKIM, and DMARC properly configured. Without them, your emails are far more likely to land in the spam folder or be rejected outright. Even for low-volume senders, these protocols are considered baseline requirements for email deliverability.
Beyond deliverability, email authentication protects your brand. Without DMARC enforcement, attackers can send phishing emails that appear to come from your domain, potentially compromising your customers, partners, and reputation. Implementing all three protocols is the single most effective step you can take to secure your domain's email.