Email authentication checker.
Check any domain's SPF, DKIM and DMARC records in five seconds. No signup. No account. Just answers — straight from public DNS.
What this checks
SPF (Sender Policy Framework)
Tells receiving mail servers which IPs are allowed to send mail using
your domain in the From address. Get it wrong and your legitimate mail
gets junked, or worse — attackers can pass SPF while spoofing you.
We check whether you have a record, whether it ends in -all (strict)
or ~all (soft fail), and whether you're
close to the 10-DNS-lookup limit that breaks SPF silently.
DKIM (DomainKeys Identified Mail)
Cryptographically signs each outgoing mail so receivers can verify it
really came from you. Each provider uses a "selector" (a label) to
name their key — Google uses google, Microsoft 365 uses
selector1 / selector2,
others use their own. We probe ~20 common selectors and tell you which
ones are publishing keys.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
Tells receivers what to do when mail fails SPF or DKIM, and where to
send reports. Without DMARC, attackers can impersonate your domain
freely. We check the policy (none = monitoring,
quarantine = junk,
reject = block), enforcement percentage,
and whether you're collecting reports.
MX (Mail Exchange)
Just for context — tells you where mail to this domain actually lands. We identify common providers (Google Workspace, Microsoft 365, ProtonMail, etc.) so you know what stack you're working with.
Found issues?
Email authentication is one of the things we fix every day. SPF that's
too permissive. DMARC stuck at p=none for years
because nobody set up reporting. DKIM that Microsoft 365 quietly stopped
signing because the key rotated. +all in
production. Eight different SPF includes adding up to a permerror.
Most of these are 30-minute fixes once you know what you're looking at. If your check flagged anything you'd rather have a specialist diagnose properly — including the messy edge cases this tool can't see — talk to us.
Privacy
Lookups happen in your browser via Cloudflare's public DNS-over-HTTPS endpoint. Edos Solutions doesn't log the domains you check, doesn't run any analytics on this page, and doesn't capture your IP. The only record of your queries is in your own browser's network tab.
Frequently asked questions
- What is SPF and why does it matter?
- SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which IP addresses are authorised to send mail using your domain. Without a valid SPF record, any server on the internet can send email appearing to come from your domain — and many receivers will junk or reject your legitimate mail because they can't verify it.
- What is DKIM?
- DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing message, proving the email hasn't been tampered with and was authorised by your domain. Each mail provider publishes a public key in DNS under a 'selector' — we probe around 20 common selectors including Google, Microsoft 365, Mailchimp, SendGrid and others.
- What is DMARC?
- DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receivers what to do when a message fails both — nothing (p=none), send it to junk (p=quarantine), or reject it (p=reject). It also sends aggregate reports showing who is sending mail using your domain so you can spot abuse.
- My DMARC policy is p=none. Is that a problem?
- p=none is monitoring mode — it doesn't block any mail. It's fine as a starting point because it lets you collect reports and identify all your legitimate senders before enforcing anything. The problem is that most organisations stay on p=none indefinitely, giving attackers a free pass to impersonate them. Once you've reviewed your reports and confirmed your senders, tighten to p=quarantine then p=reject.
- Why weren't any DKIM selectors found for my domain?
- DKIM selectors are arbitrary strings chosen by your mail provider. If yours uses a non-standard selector (like your domain name, or a custom string), it won't appear in our list of common selectors. Check your mail provider's setup documentation for the selector name, then look up <selector>._domainkey.yourdomain.com using our DNS lookup tool.
- What is the SPF 10-lookup limit?
- RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include:, a:, mx: and redirect= mechanism triggers at least one lookup. Exceeding 10 causes a 'permerror' — receivers may treat your mail as failing SPF entirely, even though it's legitimate. Complex records with many includes (Microsoft 365 + Google + Mailchimp + SendGrid) commonly hit this limit.