Skip to content

Email Authentication Checker

Check your SPF, DKIM, and DMARC setup. Get step-by-step instructions to fix issues.

Checks SPF, DKIM, and DMARC

No login required for preview GDPR-friendly

The Three Email Authentication Protocols

SPF

Lists servers authorized to send email for your domain

Check SPF →

DKIM

Adds cryptographic signature to verify email integrity

Check DKIM →

DMARC

Tells receivers what to do when authentication fails

Check DMARC →
1

Setting Up SPF

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that lists IP addresses and servers authorized to send email for your domain. Receiving servers check this to verify the sender.

How to create an SPF record

1. List your email senders: Google Workspace, Microsoft 365, Mailchimp, SendGrid, etc.

2. Build the record:

v=spf1 include:_spf.google.com include:sendgrid.net -all

3. Add to DNS: Create a TXT record at your domain root (@)

SPF limits and best practices
  • Max 10 DNS lookups - Each include: counts as 1+
  • Only ONE SPF record - Multiple records cause failure
  • End with -all - Hard fail for unauthorized senders
  • Keep under 255 chars - Or split into multiple strings
Fix SPF too long →
2

Setting Up DKIM

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails. Your server signs with a private key; receivers verify using your public key in DNS. This proves emails weren't modified in transit.

How to set up DKIM

1. Generate keys in your email provider:

  • • Google Workspace: Admin → Apps → Gmail → Authenticate email
  • • Microsoft 365: Defender → Email authentication → DKIM

2. Add the public key to DNS:

selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGf..."

3. Enable signing in your provider's settings

DKIM best practices
  • Use 2048-bit keys - 1024-bit minimum
  • Rotate keys annually - Update selector when rotating
  • Set up for each sender - Each service needs its own DKIM
Fix DKIM after migration →
3

Setting Up DMARC

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receivers what to do when authentication fails and sends you reports about email using your domain.

DMARC implementation path
p=none Monitor mode - collect data, don't affect delivery
p=quarantine Failed emails go to spam
p=reject Failed emails are rejected (goal)
Create your DMARC record

Start with monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Add as TXT record at _dmarc.yourdomain.com

Fix DMARC failures →

Advanced: MTA-STS & TLS-RPT

For additional security, implement these protocols to enforce encrypted email delivery:

MTA-STS

Enforce TLS encryption for incoming email

TLS-RPT

Receive TLS connection failure reports

Frequently Asked Questions

What is email authentication?

Email authentication is a set of protocols (SPF, DKIM, DMARC) that verify the sender of an email is who they claim to be. It prevents domain spoofing, improves deliverability, and is required by Google and Yahoo for bulk senders.

Do I need all three: SPF, DKIM, and DMARC?

Yes. SPF authorizes sending servers, DKIM adds cryptographic signatures, and DMARC ties them together with a policy. All three are required for full protection and to meet Google/Yahoo's 2024 bulk sender requirements.

How do I set up email authentication?

Add an SPF TXT record listing authorized senders, configure DKIM signing with your email provider and publish the public key in DNS, then add a DMARC policy starting with p=none for monitoring before progressing to enforcement.

Related Guides

New Domain Checklist Fix DMARC Failures SPF Too Long ← Back to Home

Authentication Tools

SPF Checker

Validate SPF record and DNS lookups

DKIM Lookup

Find and validate DKIM selectors

DMARC Checker

Check DMARC policy and alignment

Security Audit

Complete email security assessment

Monitor Your Email Authentication

Create a free account to track SPF, DKIM, DMARC status and get alerts on issues.

Start Free Monitoring