Email Authentication Checker
Check all major email authentication signals for a domain and get an A–F grade based on how well it's protected against spoofing.
Live lookup, no account required. Get alerted when your record changes.
See plans →What this tool checks
Email authentication has three layers (SPF, DKIM, and DMARC), and all three need to be configured correctly for your mail to pass at strict receivers. A misconfiguration in any one of them can cause silent delivery failures that don't produce bounce messages. This tool checks all three in one pass, parses their configuration, and flags anything that would cause DMARC to fail. Setting this up from scratch? Our guide to setting up email for a new SaaS walks through SPF, DKIM, and DMARC end to end.
How grades are assigned
An A requires p=reject at full enforcement, SPF with -all, at least one DKIM selector, and an MTA-STS policy. A B has p=reject with DKIM or SPF but is missing some signals. C covers quarantine or partial enforcement. D is monitoring only (p=none). F means no DMARC record.
Frequently asked questions
Do I need to check SPF, DKIM, and DMARC separately?
My SPF passes but DMARC still fails, why?
I get a DMARC pass on this tool but mail still goes to spam, what next?
What's the difference between p=none, p=quarantine, and p=reject?
p=none, collect reports, take no action on failures. p=quarantine — send failures to the spam folder. p=reject, block failures entirely. Most domains should move to p=reject once DMARC reports confirm all legitimate senders are aligned.Seeing signals drop over time?
DMARCdrift monitors your DMARC records continuously and alerts you the moment a policy or DNS record changes, before it affects deliverability.
Get started free →Monitor all your authentication grades continuously. Free for one domain.
See plans →