Validate all three email authentication records for any domain in one click. Detect misconfigurations, check DMARC policies, verify DKIM selectors, and fix issues before they affect your email deliverability.
Email authentication is a trio of DNS-based protocols that work together to protect your domain from being used to send spam or phishing emails. Without all three properly configured, email providers like Gmail and Outlook may reject or junk your legitimate emails — and spammers can impersonate your domain with ease.
SPF is a TXT record that lists all the mail servers authorised to send email on your domain's behalf. When a receiving mail server gets an email from your domain, it checks the SPF record against the sending server's IP. If the IP isn't listed, the email fails SPF. A typical SPF record looks like: v=spf1 include:_spf.google.com ~all
DKIM adds a cryptographic signature to every outgoing email. The private key signs the message on your mail server; the public key is published in a DNS TXT record at selector._domainkey.yourdomain.com. Receivers verify the signature — if it matches, the email genuinely came from your server and was not modified in transit.
DMARC is the policy layer. It tells receiving servers what to do when SPF and/or DKIM checks fail: none (monitor only), quarantine (send to spam), or reject (block completely). DMARC also lets you receive aggregate reports (rua=) showing which servers are sending email claiming to be from your domain.
._domainkey.yourdomain.com. Your email provider sets this — common selectors include google (Google Workspace), s1 and s2 (many ESPs), mail, and default. You can find yours in your email provider's DKIM setup page, or by looking at the headers of a sent email for DKIM-Signature: s=selector.include:, a, mx, and ptr mechanism counts as a lookup; (2) having more than one SPF TXT record on your domain — only one is permitted; (3) sending from a server or service not listed in your SPF record. Use this tool's mechanism list to count your lookups and identify missing senders.-all (fail) — strictly rejects any email not matching the SPF record. Maximum protection but may cause issues if you miss a sender. ~all (softfail) — marks non-matching emails as suspicious but doesn't reject them. Recommended while setting up. ?all (neutral) — no enforcement, equivalent to not having SPF. +all — allows any server to send, effectively disabling SPF protection entirely.p=none and set up rua= aggregate reporting. After reviewing reports for 2–4 weeks and confirming all legitimate senders pass SPF and DKIM, move to p=quarantine. Once you're confident in full coverage, move to p=reject for maximum protection. Jumping straight to reject risks blocking legitimate email.