Free DNS Email-Security Check (SPF, DMARC, DKIM)
Enter a domain to check how well it is protected against email spoofing. This reads the domain's SPF, DMARC, and MX records — and an optional DKIM selector — parses each for strictness, and gives you an overall anti-spoofing grade with specific fixes. It's free, instant, and uses only public DNS.
What this DNS security check shows
- SPF — whether the domain declares who may send its email, and how strictly (
-allvs~allvs none). - DMARC — whether spoofed mail is rejected, quarantined, or only monitored (
p=rejectvsquarantinevsnone). - MX — the mail servers that receive the domain's email.
- DKIM — if you supply a selector, whether a signing key is published for it.
Run a check
Enter a domain like example.com. The DKIM selector is optional — leave it blank if you don't know it.
Frequently asked questions
- What is SPF?
- SPF (Sender Policy Framework) is a DNS record listing which servers may send email for your domain. Ending it in
-alltells receivers to reject anyone not on the list;~allonly marks them as suspect. - What is DMARC and why does the policy matter?
- DMARC ties SPF and DKIM back to the visible From address and tells receivers what to do with mail that fails:
p=rejectblocks it,p=quarantinesends it to spam, andp=noneonly watches. Only reject and quarantine actually stop spoofing. - What is a DKIM selector?
- DKIM signs your outgoing mail with a key published in DNS under a named "selector". You can find yours in a sent message's
DKIM-Signatureheader (thes=tag). Leave the field blank if you don't know it. - Does this send any email or touch the domain's servers?
- No. It only reads public DNS records. It never sends mail and never connects to the domain's own servers.
- My domain doesn't send email — do I still need these?
- Yes. A parked or non-sending domain should publish
v=spf1 -alland a DMARCp=rejectpolicy so attackers can't spoof it either.