📧 Bulk Email Deliverability Checker

Check SPF, DKIM, DMARC, and MX records for multiple domains at once

ℹī¸ Login required: Login or Register to use this tool and save your history!
🔐

Want to Process Multiple Items?

Free users can process one item at a time. Register or Login to unlock bulk processing and save your results to history!

💡 Enter one domain per line without http:// or www.

Email Deliverability & Authentication Checker

Ensure your emails reach the inbox with our comprehensive email deliverability analysis tool. Verify SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records for any domain. Proper email authentication is essential for preventing spam filtering, protecting against phishing, and maintaining high deliverability rates.

Why Email Authentication Matters

Email authentication protocols protect both senders and recipients from various email-based threats including spam, phishing, spoofing, and business email compromise (BEC). Major email providers like Gmail, Outlook, and Yahoo require proper authentication for reliable inbox delivery. Without correct SPF, DKIM, and DMARC configuration, your legitimate emails may be marked as spam, rejected entirely, or exploited by attackers impersonating your domain.

SPF (Sender Policy Framework)

What is SPF?

SPF is an email validation system designed to detect and prevent email spoofing. SPF allows domain owners to publish a list of authorized IP addresses and servers permitted to send email on behalf of their domain. When a receiving mail server gets email claiming to be from your domain, it checks the SPF record to verify the sending server is authorized.

How SPF Works

SPF records are published as TXT records in your domain's DNS. They contain mechanisms (like "ip4:", "a:", "mx:", "include:") that specify authorized senders and qualifiers (+, -, ~, ?) that determine what receiving servers should do with email from unauthorized sources. A typical SPF record might look like: "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all"

SPF Best Practices

  • Include all legitimate sending sources - mail servers, marketing platforms, SaaS applications
  • Use "include:" mechanisms for third-party services to inherit their SPF records
  • Keep SPF records under 10 DNS lookups to avoid validation failures
  • Use "-all" (hard fail) or "~all" (soft fail) to protect against unauthorized senders
  • Maintain and update SPF records when changing email infrastructure
  • Test SPF records thoroughly before deployment

Common SPF Mistakes

Exceeding the 10 DNS lookup limit causes SPF validation to fail. Including too many "include:" mechanisms quickly hits this limit. Not including all sending sources leaves legitimate email unprotected. Using "+all" (permit all) defeats SPF's security purpose. Multiple SPF records for a domain cause unpredictable behavior - only one SPF record per domain is allowed.

DKIM (DomainKeys Identified Mail)

What is DKIM?

DKIM adds a digital signature to email headers using public key cryptography. This signature proves the email hasn't been tampered with during transmission and verifies it came from an authorized sender for the domain. Unlike SPF which validates sending IP addresses, DKIM validates message content integrity and sender authorization.

How DKIM Works

The sending mail server signs outgoing email with a private key. The corresponding public key is published in DNS as a TXT record. Receiving servers retrieve the public key from DNS and use it to verify the signature. If verification succeeds, the email is authenticated. If it fails, the message has been altered or wasn't sent by an authorized server.

DKIM Components

DKIM signatures include several components: the signing domain (d=), the selector identifying which key to use (s=), the signature algorithm (a=), the canonicalization method (c=), and the actual signature (b=). The selector allows multiple DKIM keys for a domain, useful for different departments or service providers.

DKIM Best Practices

  • Use 2048-bit keys for better security (1024-bit minimum)
  • Implement key rotation regularly for security
  • Sign all outbound email for consistency
  • Use subdomain selectors for different email streams
  • Monitor DKIM signature verification rates
  • Keep private keys secure and never share them
  • Test DKIM signatures before full deployment

Common DKIM Issues

Missing or incorrect public key DNS records prevent verification. Email content modifications by mail servers or mailing lists can break signatures. Incorrect canonicalization settings cause validation failures. Key length under 1024 bits may be rejected. Expired or rotated keys without DNS updates break authentication.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What is DMARC?

DMARC builds on SPF and DKIM to provide a comprehensive email authentication framework. It allows domain owners to specify how receiving mail servers should handle email that fails SPF or DKIM checks. DMARC also provides reporting mechanisms for monitoring email authentication results and detecting abuse.

How DMARC Works

DMARC policies are published as DNS TXT records at _dmarc.yourdomain.com. The record specifies a policy (none, quarantine, or reject) for email that fails authentication, percentage of messages to which the policy applies, and email addresses for receiving authentication reports. Receiving servers check DMARC after SPF and DKIM validation.

DMARC Policies Explained

None (p=none): Monitor-only mode. No action is taken on failed messages, but reports are sent. This is recommended for initial DMARC deployment while you monitor results and fix authentication issues.

Quarantine (p=quarantine): Messages failing authentication are sent to spam/junk folders rather than rejected entirely. This provides protection while allowing recipients to recover false positives.

Reject (p=reject): Messages failing authentication are rejected and not delivered. This provides maximum protection but requires confidence that all legitimate email sources are properly authenticated.

DMARC Alignment

DMARC requires identifier alignment between the domain in the "From:" header and the domain authenticated by SPF or DKIM. Strict alignment requires exact domain match. Relaxed alignment allows subdomain matches. This prevents spoofing even when SPF or DKIM technically passes.

DMARC Reporting

DMARC provides two types of reports: Aggregate reports (rua) show overall authentication statistics and help identify authentication issues. Forensic reports (ruf) provide detailed information about specific authentication failures. These reports are crucial for monitoring email security and identifying unauthorized sending attempts.

DMARC Best Practices

  • Start with p=none policy to monitor without enforcement
  • Analyze reports regularly to identify authentication issues
  • Gradually increase enforcement from none to quarantine to reject
  • Use percentage (pct=) to gradually roll out stricter policies
  • Configure both aggregate and forensic reporting
  • Implement subdomain policy (sp=) if needed
  • Monitor third-party senders and ensure they're authenticated

Email Deliverability Impact

Inbox Placement: Properly authenticated email is more likely to reach the inbox rather than spam folders. Gmail, Yahoo, Microsoft, and other major providers prioritize authenticated email.

Sender Reputation: Consistent authentication builds positive sender reputation over time. This reputation influences future delivery decisions by receiving mail servers.

Protection from Spoofing: DMARC with enforcement policies prevents attackers from spoofing your domain for phishing or spam. This protects your brand reputation and your customers.

Compliance Requirements: Some industries and jurisdictions require email authentication as part of security compliance. DMARC helps meet these requirements.

Visibility and Control: DMARC reporting provides unprecedented visibility into who's sending email claiming to be from your domain, enabling quick detection of unauthorized use.

Implementation Roadmap

Phase 1: SPF Implementation

Identify all legitimate email sending sources including mail servers, marketing platforms, support desk systems, and cloud services. Create an SPF record listing these sources using appropriate mechanisms. Publish the SPF record and verify with testing tools. Monitor for any delivery issues with legitimate email.

Phase 2: DKIM Implementation

Generate DKIM key pairs (2048-bit recommended). Configure mail servers to sign outbound email with the private key. Publish the public key in DNS as a TXT record. Test DKIM signatures using email authentication tools. Verify signatures are validating correctly.

Phase 3: DMARC Monitoring

Publish a DMARC record with p=none policy to begin collecting reports without enforcement. Configure reporting email addresses (rua and ruf). Monitor aggregate reports to identify authentication issues. Fix any SPF or DKIM problems discovered through monitoring.

Phase 4: DMARC Enforcement

After monitoring confirms all legitimate email passes authentication, gradually increase DMARC enforcement. Start with p=quarantine at pct=10 (10% of messages). Incrementally increase percentage while monitoring. Eventually move to p=reject for full protection. Continue monitoring reports indefinitely.

Troubleshooting Authentication Issues

SPF Failures: Verify all sending sources are included in SPF record. Check for DNS lookup limit (max 10). Ensure sending IP addresses match SPF record. Watch for third-party services sending from unexpected IPs.

DKIM Failures: Verify public key DNS record exists and matches private key. Check signature canonicalization settings. Watch for email content modifications. Ensure keys haven't expired or been rotated without updating DNS.

DMARC Failures: Confirm SPF or DKIM is passing and aligned. Verify From: domain matches authenticated domain. Check DMARC record syntax. Review aggregate reports for failure details.

Delivery Problems: Some email may fail authentication legitimately (forwarded messages, mailing lists). Consider authentication-friendly forwarding methods. Adjust policies if necessary to prevent false positives.

Advanced Features

Third-Party Senders: When using email service providers, marketing platforms, or other third-party senders, ensure they support SPF, DKIM, and DMARC. Configure their settings to align with your domain authentication.

Subdomain Handling: DMARC subdomain policy (sp=) allows different policies for subdomains. This is useful when subdomains are used by different departments or partners.

BIMI (Brand Indicators for Message Identification): After achieving DMARC enforcement, consider implementing BIMI to display your logo in recipient inboxes. BIMI requires DMARC p=quarantine or p=reject.

MTA-STS (Mail Transfer Agent Strict Transport Security): Complement DMARC with MTA-STS to enforce TLS encryption for email transmission, preventing man-in-the-middle attacks.

Monitoring and Maintenance

Email authentication isn't set-and-forget. Regular monitoring is essential. Review DMARC reports weekly. Monitor email delivery metrics. Test authentication regularly with our tool. Update SPF records when adding sending sources. Rotate DKIM keys periodically. Adjust DMARC policies based on ongoing results. Investigate authentication failures promptly.

Using Our Tool

Our email deliverability checker analyzes your domain's SPF, DKIM, and DMARC records. We verify syntax, check for common configuration errors, and provide recommendations for improvement. Simply enter your domain above to receive comprehensive analysis of your email authentication setup. For DKIM, we check common selectors, but you may need to provide specific selectors for complete testing.

Getting Started

Enter your domain name in the field above to check email authentication configuration. Our tool will analyze your SPF record, attempt to locate DKIM keys using common selectors, and verify your DMARC policy. Results include detailed information about each authentication method, identified issues, and recommendations for optimization. Regular checking helps maintain optimal email deliverability.