SPF / DKIM / DMARC Checker
Enter any domain to instantly verify its email authentication posture. Results are pulled live from DNS — no account required.
Check Your Domain
Understanding the Results
Three Standards. One Authentication Layer.
SPF, DKIM, and DMARC work in combination. A gap in any one weakens the others.
SPF
Sender Policy Framework
A DNS TXT record listing which IP addresses and mail servers are authorized to send email from your domain.
Without SPF, any server can send email appearing to come from your domain. This is the most basic layer of email spoofing protection.
DKIM
DomainKeys Identified Mail
A cryptographic signature added to outgoing email that receiving servers can verify against a public key published in DNS.
DKIM protects message integrity — verifying that content was not altered in transit and that the sending domain can be authenticated cryptographically.
DMARC
Domain-based Message Authentication
A policy record telling receiving servers what to do when SPF or DKIM checks fail: monitor, quarantine, or reject.
DMARC is the enforcement layer. Without it, SPF and DKIM results are visible but no action is taken on failures.
What To Look For
Five Indicators of Email Authentication Maturity
SPF Hard Fail (-all)
Prefer "-all" (hard fail) over "~all" (soft fail) once your authorized sending sources are fully inventoried. Hard fail gives receiving servers a clear directive to reject unauthorized messages.
SPF Include Count
SPF records have a 10 DNS lookup limit. Too many nested includes cause SPF to fail with a "permerror". Use tools like MXToolbox to verify your lookup count if you have many sending services.
DKIM Selector Visibility
If DKIM is not detected, this does not mean it's absent — it may use a non-standard selector. Check your email provider's admin portal to confirm DKIM is enabled and note the selector name.
DMARC Policy Enforcement
"p=none" provides visibility but no protection. "p=quarantine" routes failing messages to spam. "p=reject" prevents delivery entirely. The goal is "p=reject" with a monitoring address configured.
DMARC Reporting Address
The "rua=" tag sends aggregate reports to a specified address. These reports identify sources sending email from your domain — both legitimate and unauthorized. Without them you are flying blind.
Operational Impact
Email Authentication Affects More Than Deliverability
Properly configured email authentication is an operational governance requirement — not just an IT task.
Regulatory Compliance
HIPAA, NIST SP 800-171, CMMC, and SOC 2 all include requirements around email security controls. Missing DMARC enforcement is a documented finding in many compliance assessments — particularly for healthcare, legal, and government contractor organizations.
Business Email Compromise Prevention
BEC (Business Email Compromise) attacks often involve spoofing your domain to impersonate executives or finance staff. DMARC enforcement at "p=reject" directly prevents successful spoofing of your exact domain by external parties.
Microsoft 365 Deliverability
Microsoft 365's spam filtering uses SPF, DKIM, and DMARC alignment signals to score inbound and outbound messages. Misconfigured records increase the probability that legitimate outbound mail is flagged as spam by recipient organizations.
Client and Partner Trust
Recipients increasingly receive warnings when email from a domain lacks authentication. Some organizations filter or reject unauthenticated email by policy. Authentication is now a baseline expectation for professional communication.
FAQ
Common Questions
What is SPF and why does it matter?
SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. Without it, any server can send email appearing to come from your domain. For Microsoft 365, SPF must include the Office 365 sending infrastructure and any additional approved sending services.
Why can't DKIM always be verified?
DKIM signatures are tied to specific "selectors" — custom identifiers your mail provider assigns. This tool checks 13 common selectors used by major providers. If your provider uses a non-standard selector, DKIM may be active but not detected. Verify DKIM configuration in your email provider's admin portal.
What DMARC policy should I use?
Start with "p=none" for monitoring with a "rua=" reporting address. Review aggregate reports for 30–60 days to identify all legitimate sending sources. Move to "p=quarantine" once confident, then to "p=reject" for full enforcement. Do not rush to "p=reject" — a misconfigured enforcement policy will reject legitimate mail.
How often should I review these records?
Review after any email provider change, new third-party sending service, or domain migration. For compliance-aware organizations, quarterly reviews are a reasonable baseline. Changes to email configuration should always include verification of SPF, DKIM, and DMARC records.
What happens when SPF and DMARC conflict?
DMARC evaluates both SPF and DKIM results. A message passes DMARC if it passes either SPF or DKIM in alignment with the From domain. If both fail, DMARC enforcement applies the configured policy (none, quarantine, or reject). Having both SPF and DKIM configured provides redundancy.
Does this affect Microsoft 365 deliverability?
Directly. Microsoft 365 email filtered as spam by recipient servers is often due to missing or misconfigured SPF, DKIM, or DMARC. Exchange Online Protection also uses these signals internally. Properly configured email authentication reduces false positive spam filtering and improves delivery rates.
Related Operational Resources
Broader DNS diagnostic including MX and NS records alongside email authentication.
Inspect certificate validity, expiration, and TLS configuration.
Ongoing Microsoft 365 governance including email authentication and Defender configuration.
Align email security posture with HIPAA, SOC 2, and NIST requirements.
Operational Support
Need help configuring email authentication?
IT KORR can audit your email security posture and coordinate SPF, DKIM, and DMARC implementation across your current providers — no migration required.
No commitment required — we respond within one business day.