Email Authentication Analyzer (SPF, DKIM & DMARC Checker)

Inspect, validate and analyze domain email security configurations. Verify SPF formats, check DMARC policies, and check DKIM selector records in real-time.

Analyze Email Records

Enter a domain and optional DKIM selector to run alignment verification.
Audit status:
0%
SPF Record Status
DMARC Record Status
DKIM Record Status

Comprehensive Guide to Email Security & Authentication

Email was originally developed without integrated validation layers. Historically, any mail server could connect to a receiving system and claim to represent any sender address—a vulnerability commonly exploited by phishing campaigns, spammers, and malware distributors to commit **Email Spoofing**.

To secure communication channels, the internet engineering community introduced three distinct layers of authentication that work in tandem to establish sender legitimacy, guarantee message integrity, and define compliance rules: **SPF, DKIM, and DMARC**.


1. SPF (Sender Policy Framework)

**SPF** is an open standard that publishes a TXT record in the domain's DNS zone file listing all authorized IP addresses and servers allowed to send outbound emails on behalf of that domain name.

When a mail transfer agent (MTA) receives an email, it inspects the sender domain, fetches its SPF record, and checks if the sending server's IP is listed.

Understanding SPF Syntax:

  • v=spf1: Identifies the version of SPF protocol.
  • ip4:192.168.0.1 / ip6:...: Explicitly authorizes specific IP ranges.
  • include:_spf.google.com: Pulls in the list of authorized IPs maintained by Google.
  • -all (Fail): Tells receivers to reject emails sent from unlisted IPs.
  • ~all (SoftFail): Asks receivers to mark unlisted messages as spam/junk but not reject them entirely.

Important: The 10-Lookup Limit

According to SPF specification RFC 7208, an SPF evaluation must not cause more than **10 recursive DNS lookups** (such as resolved `include`, `mx`, `a` tags). If your SPF record exceeds 10 lookups, receiving mail systems will trigger a permanent SPF validation error, potentially bouncing your emails!


2. DKIM (DomainKeys Identified Mail)

**DKIM** uses public-key cryptography to add a digital signature to the headers of outbound emails. This signature acts as a seal verifying that the message was sent by the domain owner and has not been altered in transit.

The domain owner publishes their public cryptographic key as a DNS TXT record at a specific subdomain called a **DKIM Selector**. For example, if the selector is s1, the TXT record is placed at s1._domainkey.yourdomain.com. The receiving server reads this public key and verifies the header signature.


3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

**DMARC** binds SPF and DKIM verification checks together. It publishes a TXT record instructing receiving servers how to handle emails that fail SPF or DKIM checks.

Key DMARC Parameters:

  • p=none: Monitor mode. Fails are logged but delivered.
  • p=quarantine: Fails are routed directly to Spam/Junk folders.
  • p=reject: Fails are blocked completely by the receiving MTA.
  • rua=mailto:[email protected]: Configures report logs to be sent to a specific email address.
Email Best Practices

Always configure both SPF and DKIM. DMARC relies on at least one of these aligning with the sender headers to pass.

Gradually transition your DMARC policy from p=none to p=quarantine, and finally p=reject after verifying reports.