← All toolsLive DNS lookup

Email Authentication Checker

Check all major email authentication signals for a domain and get an A–F grade based on how well it's protected against spoofing.

Live lookup, no account required. Get alerted when your record changes.

See plans →

What this tool checks

Email authentication has three layers (SPF, DKIM, and DMARC), and all three need to be configured correctly for your mail to pass at strict receivers. A misconfiguration in any one of them can cause silent delivery failures that don't produce bounce messages. This tool checks all three in one pass, parses their configuration, and flags anything that would cause DMARC to fail. Setting this up from scratch? Our guide to setting up email for a new SaaS walks through SPF, DKIM, and DMARC end to end.

How grades are assigned

An A requires p=reject at full enforcement, SPF with -all, at least one DKIM selector, and an MTA-STS policy. A B has p=reject with DKIM or SPF but is missing some signals. C covers quarantine or partial enforcement. D is monitoring only (p=none). F means no DMARC record.

Frequently asked questions

Do I need to check SPF, DKIM, and DMARC separately?
No, this tool checks all three in one pass. SPF and DMARC only require your domain. DKIM also needs your selector; if you don't know it, the tool tries around 20 common selector names used by major ESPs. If your provider uses a custom selector, enter it directly.
My SPF passes but DMARC still fails, why?
SPF pass alone isn't enough for DMARC. DMARC requires alignment: the domain in your SPF envelope sender must match the domain in your From header. If you send through a third party (ESP, CRM) that uses its own envelope domain, SPF alignment fails even when SPF itself passes. DKIM alignment is the fix.
I get a DMARC pass on this tool but mail still goes to spam, what next?
Authentication is passing but something else is triggering spam filters: content, sending reputation, or a blacklisted IP. Check your email blacklist status and review your sending reputation in Google Postmaster Tools.
What's the difference between p=none, p=quarantine, and p=reject?
p=none, collect reports, take no action on failures. p=quarantine — send failures to the spam folder. p=reject, block failures entirely. Most domains should move to p=reject once DMARC reports confirm all legitimate senders are aligned.

Seeing signals drop over time?

DMARCdrift monitors your DMARC records continuously and alerts you the moment a policy or DNS record changes, before it affects deliverability.

Get started free →

Monitor all your authentication grades continuously. Free for one domain.

See plans →