SPF/DKIM/DMARC Record Checker

Look up SPF, DMARC, and DKIM records for any domain in real time and diagnose your anti-spoofing email authentication setup.

Tips

  • The standard order is SPF, then DKIM, then DMARC. Set up SPF and DKIM first, and use DMARC last to clarify instructions for receiving servers.
  • Start DMARC with p=none rather than p=reject immediately. Collect reports first to identify every legitimate sending source before tightening the policy step by step.
  • Domains with many SPF includes can hit the "10 DNS lookup / 255 character" limit and cause lookup failures, so periodically clean up unnecessary includes.
  • This tool only tries common DKIM selectors, so a "not found" result may simply mean a different selector is actually in use.
  • Major receivers like Gmail and Outlook have required SPF, DKIM, and DMARC for bulk senders since 2024, so domains sending newsletters should check this setup first.

Frequently Asked Questions

It is not strictly mandatory, but only when all three are configured together do you get a consistent defense: proving the legitimacy of the sender (SPF/DKIM) and instructing receivers on how to handle failures (DMARC). Setting up just one has limited effect, so setting them up in order is recommended.

Not necessarily. Since DKIM selector names can be freely chosen by each sending service, a "not found" result just means the domain does not use one of the common names (default, google, etc.) this tool tries. To check precisely, look at the sending service's admin panel or the DKIM-Signature header of an email.

This is not recommended. If you have not fully identified all legitimate sending sources (such as newsletter services or internal systems), setting reject immediately risks blocking legitimate mail as well. It is safer to start with p=none, collect reports for a few weeks to confirm there are no issues, and then tighten gradually to quarantine and reject.

-all (Fail, explicit rejection) is ultimately recommended, but during a migration period when you are less confident in your SPF setup, ~all (SoftFail, treated as suspicious) is safer — confirm no legitimate mail is being blocked before switching to -all.

No. The DNS lookup for the domain you enter is performed on the fly, and the retrieved record data is not stored on the server.
ツールくん

Side Note — How the three pillars of anti-spoofing email defense came to be

SPF, DKIM, and DMARC each emerged at different times for different reasons. SPF, which appeared first around 2003, declares which IP addresses are allowed to send mail using a given domain name, and it spread as a countermeasure against spammers forging sender addresses. However, SPF is weak against forwarding: when mail is forwarded, the sending IP changes and authentication breaks.

DKIM (standardized around 2007) addressed that weakness. Rather than judging by IP address like SPF, it attaches a digital signature to part of the message body and headers, which the receiver verifies against a public key published in DNS — so authentication still passes after forwarding as long as the signature itself remains intact.

Still, SPF and DKIM could only detect that authentication had failed; what to do about it — deliver, mark as spam, or reject — was left entirely to the receiving server. DMARC, standardized in 2012, unified these receiver-side instructions. It also added a reporting mechanism (rua=) that sends authentication results back to the sending domain's administrators, enabling continuous monitoring for abuse of one's own domain.

When Google and Yahoo effectively required SPF, DKIM, and DMARC for bulk senders (5,000+ messages per day) in 2024, these three pillars became essential knowledge not just for large enterprises but for any organization sending newsletters or system notification emails.

→ Browse all trivia