SPF / DKIM / DMARC
Check email authentication records for any domain to verify protection against spoofing and phishing.
| Record | Status | Value |
|---|
About the SPF / DKIM / DMARC checker
SPF, DKIM, and DMARC are the three DNS-based standards that work together to stop your domain being used to send spoofed or forged email, and to help legitimate messages avoid the spam folder. Getting all three configured correctly is one of the most impactful things you can do for email deliverability, yet it is also one of the most commonly misconfigured areas of DNS. This tool checks all three records for a domain in one pass and flags what is missing or incorrectly set up.
How it works
SPF (Sender Policy Framework) is a TXT record listing which mail servers are authorised to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email, allowing receiving servers to verify the message was not altered in transit and genuinely came from an authorised sender. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the two together, telling receiving mail servers what to do if a message fails SPF or DKIM checks, and where to send reports about authentication failures.
DNSbyte checks for the presence and basic validity of each record type, and for DMARC specifically reports the configured policy, whether it is set to none, quarantine, or reject.
Frequently asked questions
I only have an SPF record, is that enough?
SPF alone provides some protection but is the weakest of the three on its own, since it can be bypassed in certain forwarding scenarios. DKIM and DMARC together provide much stronger protection and are increasingly required by major mail providers.
What is the difference between DMARC policy none, quarantine, and reject?
None means failed messages are delivered as normal but reports are still generated, useful for monitoring before enforcing anything. Quarantine sends failed messages to spam or junk. Reject blocks them entirely. Most domains start at none and move to stricter policies once they have confirmed legitimate mail is not being incorrectly flagged.
Why does my SPF check fail even though I have an SPF record?
A common issue is having more than one SPF TXT record, which is invalid and causes mail servers to treat the whole thing as a permanent error. Another frequent cause is exceeding the ten DNS lookup limit that SPF imposes, often from including too many third-party services.
What is a DKIM selector and why does it matter for this check?
The selector is a label that identifies which DKIM key was used to sign a message, since a domain can have multiple keys active at once for different services. Without knowing the correct selector, a generic check cannot retrieve the specific DKIM record, which is why some DKIM checks need the selector supplied directly by whoever set it up.
I just set up these records, why does the check still show them as missing?
TXT records follow the same propagation and TTL rules as any other DNS record. Allow some time after publishing for the change to be visible everywhere, and confirm the record was saved correctly in your DNS provider's control panel.