Free DNS Email-Security Check (SPF, DMARC, DKIM)

Enter a domain to check how well it is protected against email spoofing. This reads the domain's SPF, DMARC, and MX records — and an optional DKIM selector — parses each for strictness, and gives you an overall anti-spoofing grade with specific fixes. It's free, instant, and uses only public DNS.

What this DNS security check shows

  • SPF — whether the domain declares who may send its email, and how strictly (-all vs ~all vs none).
  • DMARC — whether spoofed mail is rejected, quarantined, or only monitored (p=reject vs quarantine vs none).
  • MX — the mail servers that receive the domain's email.
  • DKIM — if you supply a selector, whether a signing key is published for it.

Run a check

Enter a domain like example.com. The DKIM selector is optional — leave it blank if you don't know it.


Frequently asked questions

What is SPF?
SPF (Sender Policy Framework) is a DNS record listing which servers may send email for your domain. Ending it in -all tells receivers to reject anyone not on the list; ~all only marks them as suspect.
What is DMARC and why does the policy matter?
DMARC ties SPF and DKIM back to the visible From address and tells receivers what to do with mail that fails: p=reject blocks it, p=quarantine sends it to spam, and p=none only watches. Only reject and quarantine actually stop spoofing.
What is a DKIM selector?
DKIM signs your outgoing mail with a key published in DNS under a named "selector". You can find yours in a sent message's DKIM-Signature header (the s= tag). Leave the field blank if you don't know it.
Does this send any email or touch the domain's servers?
No. It only reads public DNS records. It never sends mail and never connects to the domain's own servers.
My domain doesn't send email — do I still need these?
Yes. A parked or non-sending domain should publish v=spf1 -all and a DMARC p=reject policy so attackers can't spoof it either.