Email Health (SPF, DKIM, DMARC)

Check a domain's SPF, DKIM, and DMARC records plus its MX, with plain-English notes.

About the Email Health (SPF, DKIM, DMARC)

Email health checks the three records that decide whether your mail is trusted: SPF, DKIM, and DMARC, plus the domain’s MX. Enter a domain (or an email address) and the tool reads each record and explains, in plain language, what is set, what is missing, and what to tighten.

The three work together. SPF lists which servers are allowed to send for your domain. DKIM adds a cryptographic signature so receivers can verify a message was not altered and really came from you. DMARC ties them together and tells receivers what to do when a message fails, and where to send reports. Without all three aligned, your legitimate mail is easier to spoof and more likely to land in spam.

Common findings this surfaces: no SPF at all, an SPF record ending in +all that lets anyone send, a DMARC policy stuck at p=none so nothing is enforced, or no DKIM at the selector you use. DKIM lives at a selector you choose, so if it is not found at the common ones, enter your selector (for example the part before _domainkey in your DKIM DNS record) to check it directly.

These lookups run on our server, which queries public DNS, because browsers cannot make raw DNS queries. The domain you enter is sent to our server only to read its public records and is not stored.

Your ad could be here

Reach developers and designers who use these tools every day. Privacy-first, no trackers.

Frequently asked questions

What do SPF, DKIM, and DMARC each do?

SPF authorizes which servers may send for your domain. DKIM signs messages so receivers can verify they are genuine and unaltered. DMARC sets the policy for what happens when a message fails SPF or DKIM, and requests reports.

Why is my DKIM not found?

DKIM records live at a selector you pick, like selector1._domainkey.yourdomain.com. We try common selectors automatically; if yours is different, type it into the DKIM selector field and check again.

My DMARC says p=none. Is that bad?

p=none only monitors; it does not stop spoofed mail. It is a fine starting point to collect reports, but move to p=quarantine and then p=reject once you confirm your legitimate mail passes, to actually block abuse.

What is wrong with +all in SPF?

An SPF record ending in +all tells receivers to accept mail from any server, which defeats the purpose. Use -all (hard fail) or ~all (soft fail) so only your listed senders are trusted.

Is my domain or email stored?

No. The domain (or the domain part of an email address) is sent to our server only to read its public DNS records and is not logged or stored.

Email & DNS

MX Lookup

Look up a domain's mail (MX) servers in priority order, with their IP addresses.

Email & DNS

DNS Lookup

Query A, AAAA, MX, TXT, NS, SOA, CNAME, and CAA records for any domain.

Email & DNS

Blacklist Check

Check an IP address or domain against major email DNS blacklists (DNSBLs).

Email & DNS

Reverse DNS (PTR Lookup)

Look up PTR records for an IP address and see the associated hostnames.

Email & DNS

Domain Registration Lookup

Look up domain registration dates, registrar, nameservers, and status via RDAP.

Email & DNS

SPF Record Generator

Build a valid SPF TXT record from includes, IP addresses, and an all mechanism.