SPF/DKIM/DMARC Record Checker
Look up SPF, DMARC, and DKIM records for any domain in real time and diagnose your anti-spoofing email authentication setup.
Tips
- The standard order is SPF, then DKIM, then DMARC. Set up SPF and DKIM first, and use DMARC last to clarify instructions for receiving servers.
- Start DMARC with p=none rather than p=reject immediately. Collect reports first to identify every legitimate sending source before tightening the policy step by step.
- Domains with many SPF includes can hit the "10 DNS lookup / 255 character" limit and cause lookup failures, so periodically clean up unnecessary includes.
- This tool only tries common DKIM selectors, so a "not found" result may simply mean a different selector is actually in use.
- Major receivers like Gmail and Outlook have required SPF, DKIM, and DMARC for bulk senders since 2024, so domains sending newsletters should check this setup first.
Frequently Asked Questions
Side Note — How the three pillars of anti-spoofing email defense came to be
SPF, DKIM, and DMARC each emerged at different times for different reasons. SPF, which appeared first around 2003, declares which IP addresses are allowed to send mail using a given domain name, and it spread as a countermeasure against spammers forging sender addresses. However, SPF is weak against forwarding: when mail is forwarded, the sending IP changes and authentication breaks.
DKIM (standardized around 2007) addressed that weakness. Rather than judging by IP address like SPF, it attaches a digital signature to part of the message body and headers, which the receiver verifies against a public key published in DNS — so authentication still passes after forwarding as long as the signature itself remains intact.
Still, SPF and DKIM could only detect that authentication had failed; what to do about it — deliver, mark as spam, or reject — was left entirely to the receiving server. DMARC, standardized in 2012, unified these receiver-side instructions. It also added a reporting mechanism (rua=) that sends authentication results back to the sending domain's administrators, enabling continuous monitoring for abuse of one's own domain.
When Google and Yahoo effectively required SPF, DKIM, and DMARC for bulk senders (5,000+ messages per day) in 2024, these three pillars became essential knowledge not just for large enterprises but for any organization sending newsletters or system notification emails.