SPF, DMARC & DKIM Checker
Check whether your domain is protected against email spoofing. Looks up your SPF, DMARC, and DKIM records live — no signup.
Why this matters
Stop domain spoofing
Without SPF + DMARC enforcement, anyone can send phishing email as your domain — to your own customers. These records shut that down.
Protect deliverability
Mailbox providers increasingly require SPF/DKIM/DMARC. Missing them sends your real emails — receipts, resets, onboarding — straight to spam.
Check in seconds
Live DNS lookup of all three records with a clear pass / weak / fail verdict and the exact fix for each.
How it works
Enter your domain (e.g. yourdomain.com).
We look up your SPF, DMARC, and DKIM DNS records live via Cloudflare DoH.
Get a verdict for each, the actual record value, and a copy-ready fix where needed.
Frequently Asked Questions
What do SPF, DMARC, and DKIM do?
They're three DNS records that prove your email is genuine. SPF lists which servers may send mail as your domain. DKIM cryptographically signs your outbound mail. DMARC tells receiving servers what to do with mail that fails SPF/DKIM — and where to send reports. Together they stop attackers from spoofing your domain.
What happens if I don't have these records?
Without SPF/DMARC, anyone can send phishing emails that appear to come from your exact domain — to your customers and staff. Your domain becomes a phishing weapon, and your legitimate email is more likely to land in spam.
What's a good DMARC policy?
Start with p=none (monitor only) to see what's sending as you, then move to p=quarantine (spoofed mail to spam), and finally p=reject (spoofed mail rejected outright) once you've confirmed your legitimate senders pass. p=reject is the strongest protection.
Why does the SPF '+all' setting fail?
An SPF record ending in +all authorizes ANY server on the internet to send as your domain — which makes SPF pointless. Always end your SPF with -all (hard fail) or ~all (soft fail) so unauthorized senders are rejected or flagged.
My DKIM shows as not found — is it really missing?
DKIM uses a 'selector' name that varies by provider. This tool checks the most common selectors (google, default, selector1/2, k1, etc.). If you use a custom selector, DKIM may exist even if it's not detected here — check your email provider's DNS instructions.
Is this checker private?
Yes. The DNS lookups run from your browser via Cloudflare's public DNS-over-HTTPS endpoint. We don't store the domains you check.
Related Free Tools
Security Headers Checker
Check CSP, HSTS, and other security headers
SSL / HTTPS Checker
Verify HTTPS and HSTS configuration
API Key Leak Scanner
Find exposed secrets in your JS bundles
CSP Generator
Build a Content-Security-Policy header
JWT Decoder
Decode and inspect JSON Web Tokens
Security Scanner
Full 38-check security audit incl. email auth
Want the complete picture?
Run a full AI visibility audit — 25+ signals, fix roadmap, and AI-generated files.