Sign In
Access your IPWhois.net account
No account? Create one

Email Security Checker

Check SPF, DKIM and DMARC records for any domain.

What is Email Authentication?

Email authentication is a group of DNS-based standards that let receiving mail servers verify whether an email genuinely came from the domain it claims. Without it, anyone can forge the sender address and make their message look like it came from your domain.

Three records work together: SPF lists the servers allowed to send on your behalf. DKIM adds a signature to every outgoing message so the content can be verified in transit. DMARC ties the two together and tells receiving servers what to do when a message fails both checks.

SPF, DKIM and DMARC Explained

SPF (Sender Policy Framework)

A TXT record on your root domain that lists which IP addresses and services are authorised to send email for you. The end of the record matters most: -all means reject anything not on the list (recommended), ~all is a soft fail used during testing, and +all means anyone can send as you, which is a serious problem.

DKIM (DomainKeys Identified Mail)

A TXT record at selector._domainkey.yourdomain.com holding a public key. Your mail server signs each outgoing message with the matching private key. Receiving servers use the public key to verify the signature. If the signature checks out, the message hasn't been tampered with. Use keys of at least 2048 bits.

DMARC (Domain-based Message Authentication)

A TXT record at _dmarc.yourdomain.com. The p= tag sets the policy: none is monitoring only and offers no protection, quarantine sends failing mail to spam, and reject blocks it outright. Add rua= with an email address to receive daily reports showing what's passing and failing.

Frequently Asked Questions

Why is DKIM showing as not found?

DKIM records include a selector chosen by your email provider, for example google._domainkey for Google Workspace or selector1._domainkey for Microsoft 365. This tool tests around 18 common selectors automatically. If your provider uses a custom one, check their docs and look it up manually in a DNS lookup tool.

My emails are landing in spam. Can this help?

Often yes. Missing or broken SPF, DKIM or DMARC records are one of the top reasons legitimate mail gets flagged. Fix what this tool reports and give DNS propagation an hour or two before testing again.

What is BIMI?

BIMI lets your brand logo appear next to emails in Gmail, Apple Mail and a few other clients. It requires a DMARC policy of reject or quarantine and, for the major providers, a verified mark certificate (VMC). It's a nice extra once your core authentication is solid.