Validate your domain’s email authentication records in seconds. Check SPF, DKIM, DMARC, and DNSSEC configuration against best practices. Free, no sign-up required.
Email Security Check – SPF, DKIM, DMARC & DNSSEC
Why Email Authentication Matters
Email authentication is critical for protecting your domain from spoofing, phishing, and abuse. Without proper SPF, DKIM, and DMARC records, attackers can send emails that appear to come from your domain, damaging your reputation and putting your users at risk.
Our Email Security Check analyzes your domain’s DNS records to verify that all email authentication mechanisms are properly configured. We check for common misconfigurations and provide actionable recommendations to improve your email security posture.
SPF (Sender Policy Framework)
SPF defines which mail servers are authorized to send email on behalf of your domain. It uses a DNS TXT record to list approved IP addresses and mechanisms. Without SPF, any server can claim to send email from your domain.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to outgoing emails, allowing receiving servers to verify the message was not altered in transit and truly originates from your domain. DKIM uses public/private key cryptography stored in DNS.
DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together, telling receiving servers what to do when authentication fails. It provides reporting capabilities so you can monitor authentication results and protect against unauthorized use of your domain.
DNSSEC (DNS Security Extensions)
DNSSEC adds cryptographic signatures to DNS records, preventing DNS cache poisoning and man-in-the-middle attacks. It ensures that DNS responses are authentic and have not been tampered with during transit.
How Our Email Security Check Works
1. Enter your domain – Type any domain name to begin the security analysis.
2. Automatic DNS queries – Our tool queries multiple DNS record types including TXT records for SPF, DKIM selectors, and DMARC policies, as well as DNSSEC chain validation.
3. Policy validation – Each record is parsed and validated against RFC specifications and industry best practices.
4. Security scoring – You receive a clear pass/fail assessment for each protocol with specific recommendations to fix any issues found.
5. Actionable recommendations – Detailed guidance on how to fix misconfigurations or implement missing authentication records.
Common Email Security Issues
Missing SPF record – Without an SPF record, your domain has no protection against email spoofing. Add a TXT record starting with “v=spf1” that lists your authorized mail servers.
SPF too permissive (+all) – An SPF record ending with “+all” allows any server to send email as your domain. Use “-all” (hard fail) or “~all” (soft fail) instead.
No DMARC policy – Without DMARC, receiving servers don’t know what to do with emails that fail SPF/DKIM checks. Start with “v=DMARC1; p=none” and gradually move to “p=quarantine” or “p=reject”.
DMARC set to p=none – While “p=none” enables monitoring, it doesn’t protect against spoofing. Transition to “p=quarantine” or “p=reject” after analyzing your DMARC reports.
Missing DKIM – Without DKIM, receiving servers cannot verify email integrity. Configure your mail server to sign outgoing messages and publish the public key in DNS.
DNSSEC not enabled – Without DNSSEC, your DNS records are vulnerable to cache poisoning attacks. Contact your DNS provider to enable DNSSEC for your domain.
Frequently Asked Questions
What is email authentication?
Email authentication is a set of techniques (SPF, DKIM, DMARC) that verify the sender of an email is who they claim to be. These DNS-based records help prevent phishing, spoofing, and improve email deliverability.
Do I need all three protocols (SPF, DKIM, DMARC)?
Yes. SPF alone is not enough because it can be bypassed. DKIM alone doesn’t tell receivers what to do on failure. DMARC ties them together and provides a policy for handling unauthenticated messages. All three work together for comprehensive protection.
Will implementing these records affect my email deliverability?
Properly configured email authentication improves deliverability. Major providers like Google and Microsoft require SPF and DKIM, and favor domains with DMARC policies. Start with DMARC p=none to monitor before enforcing.
How long do changes take to propagate?
DNS changes typically propagate within 1-48 hours depending on the TTL (Time to Live) values of your records. Most changes are visible within a few hours.
What is DNSSEC and do I need it?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. While not required for email authentication, it prevents DNS spoofing attacks that could redirect your email traffic. It is increasingly recommended as a security best practice.