Enter any domain to instantly check its SPF, DKIM, and DMARC records. All lookups run directly in your browser using DNS-over-HTTPS via Cloudflare's public resolver — nothing is sent to any ToolsKit server.
This tool checks all three layers of email authentication for any domain: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Each lookup queries DNS TXT records via Cloudflare's DNS-over-HTTPS API and returns the raw record alongside a plain-English explanation of what it means for your domain's email security posture.
example.com) — no need to include https://.p=none), send to spam (p=quarantine), or reject entirely (p=reject).
DKIM records are not published at the root domain — they live at a subdomain in the format
selector._domainkey.yourdomain.com. The selector is chosen by your mail provider
(Google Workspace uses google, many ESPs use default or mail).
This tool tries the most common selectors automatically, but if your provider uses a custom one
it won't be found here. Check your mail provider's DNS setup docs to confirm the selector name.
Yes. SPF and DKIM verify individual checks, but without DMARC there's no policy telling receivers
what to do when those checks fail. An attacker can still spoof your domain in the From:
header and deliver mail to inboxes if DMARC isn't present. Start with p=none
(monitoring mode) to collect reports, then move to p=quarantine or p=reject
once you're confident all legitimate mail is passing.
An SPF pass means the sending server is listed in your SPF record. SPF alignment (used by DMARC)
additionally requires that the domain in the Return-Path header matches the domain in
the From: header. Bulk senders and ESPs sometimes send mail with a shared
Return-Path domain, which means SPF passes but doesn't align — DMARC then falls
back to checking DKIM alignment instead.
Want the full explanation? Read the guide: SPF, DKIM, and DMARC Explained — A Practical Guide for Sysadmins →