SPF, DKIM and DMARC Checker
Check your domain email authentication records instantly. Color-coded results with plain-English explanations. Free, no signup.
Domain lookup
Manual record analyzer
Paste your SPF record for instant local analysis. No DNS lookup required.
What are SPF, DKIM, and DMARC records?
SPF, DKIM, and DMARC are three DNS records that together authenticate your email and prove to receiving servers that your domain is the legitimate sender. SPF lists authorized sending IP addresses. DKIM adds a cryptographic signature to each email. DMARC tells servers what to do when SPF or DKIM checks fail.
All three records are required for reliable email delivery in 2026. Google and Yahoo mandated DMARC for bulk senders in February 2024, and many enterprise mail servers now quietly reject or filter emails from domains missing these records. Setting up all three takes about 30 minutes and significantly improves inbox placement rates for cold email, transactional email, and newsletters.
How to check if your SPF record is working
Enter your domain in the SPF tab above and click Check. The tool queries your DNS and shows your SPF record with a pass or fail result. A valid SPF record starts with "v=spf1", includes your authorized sending services, and ends with "-all" to reject unauthorized senders.
Common SPF mistakes include having two SPF records (only one is allowed per domain), exceeding the 10 DNS lookup limit, and using "+all" which allows any sender to spoof your domain. If your SPF check fails, log into your domain registrar's DNS settings and add a TXT record with your SPF policy. Changes typically take 1 to 4 hours to propagate. Also test your subject lines with the cold email subject line tester before sending campaigns.
What to do if your DMARC policy is set to none
A DMARC policy of "p=none" means you are monitoring email authentication but not enforcing it. Emails that fail SPF or DKIM checks are still delivered. This is a safe starting point to understand your email traffic before moving to quarantine or reject.
The recommended path is: start with p=none and add a reporting address (rua=) to collect DMARC reports for 2 to 4 weeks. Review the reports to identify all legitimate sending sources. Once you have confirmed all sources pass SPF and DKIM, move to p=quarantine, then p=reject. Skipping straight to p=reject without monitoring first can block legitimate emails. Polish your email copy with the AI writing humanizer to improve engagement alongside your technical setup.
Frequently asked questions about SPF, DKIM, and DMARC
What is an SPF record and why do I need one?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorized to send email for your domain. Without SPF, receiving mail servers cannot verify your emails are legitimate, which increases the chance they land in spam or get rejected entirely.
What is a DKIM record?
DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to your outgoing emails. The receiving server checks the signature against a public key stored in your DNS. If they match, the email is verified as unmodified in transit. DKIM protects against email spoofing and improves deliverability.
What is DMARC and is it required?
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when SPF or DKIM checks fail: nothing (none), quarantine to spam, or reject entirely. Google and Yahoo made DMARC mandatory for bulk senders in 2024. Even small senders benefit from having a DMARC policy set.
How do I check my SPF record?
Enter your domain name in the checker above and click Check Records. The tool queries your domain DNS and shows your SPF record with a color-coded pass or fail result. You can also paste your SPF record directly into the manual checker for instant analysis.
What does a valid SPF record look like?
A valid SPF record starts with "v=spf1" and ends with "-all" (hard fail) or "~all" (soft fail). Example: "v=spf1 include:_spf.google.com include:sendgrid.net -all". This authorizes Google and SendGrid to send email for your domain and rejects all others.
What does a valid DMARC record look like?
A valid DMARC record looks like: "v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com". The p= tag sets the policy (none, quarantine, or reject). The rua= tag sets where aggregate reports are sent. Start with p=none to monitor before enforcing.
Why is my email going to spam even with SPF and DKIM set up?
SPF and DKIM passing does not guarantee inbox delivery. Other factors include your sender reputation score, sending volume and warm-up, spam trigger words in subject lines or body, and whether recipients engage with or delete your emails. Use the Cold Email Subject Line Tester to also check your content.
Can I have multiple SPF records?
No. You can only have one SPF TXT record per domain. If you need to authorize multiple mail providers, combine them in a single record using include: statements. Multiple SPF records cause SPF to fail entirely, which hurts deliverability.
What is the difference between SPF softfail and hardfail?
A softfail (~all) means unauthorized senders should be accepted but marked as suspicious. A hardfail (-all) means unauthorized senders should be rejected outright. Use hardfail (-all) once you have confirmed all your sending sources are listed in your SPF record.
How long does it take for DNS record changes to take effect?
DNS changes typically propagate within 1 to 4 hours, but can take up to 48 hours in some cases. After making changes to your SPF, DKIM, or DMARC records, wait at least 1 hour before re-checking. Use this tool to verify the updated records are visible.
Related tools
These tools help you improve email deliverability beyond DNS authentication. Use them alongside SPF, DKIM, and DMARC checks before launching outreach campaigns.