SPF, DKIM & DMARC Checker: Test All Three Email Authentication Records

Three Protocols, One Goal: Stop Email Spoofing

If you manage a domain that sends email (and virtually every business domain does), you've probably heard that you need SPF, DKIM, and DMARC. But what exactly does each one do, and why do you need all three?

Think of it like airport security. SPF is the passenger list: it defines which planes (servers) are authorized to carry your passengers (emails). DKIM is the tamper-proof seal on your luggage, proving the contents haven't been altered in transit. DMARC is the security policy that tells the airport what to do when someone shows up without being on the list or with a broken seal.

Each one covers a different attack vector. Without all three, you have gaps that attackers will find and exploit.

SPF: Who Can Send Email for Your Domain

SPF (Sender Policy Framework) is a DNS TXT record that lists every IP address and mail server authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from yourdomain.com, it checks your SPF record to see if the sending server's IP is on the authorized list.

A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This says: "Google Workspace and SendGrid can send email for us. Reject everything else." The -all at the end is the fail mechanism, telling receivers to reject unauthorized senders. A softer ~all (soft fail) is less strict and is commonly used during setup.

Common SPF problems: exceeding the 10 DNS lookup limit, forgetting to include a third-party service, or using +all which authorizes literally everyone. Use our SPF checker to see if your record has any of these issues.

DKIM: Proving Your Email Wasn't Tampered With

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key, and the receiving server verifies the signature using a public key published in your DNS.

This does two things: it proves the email actually came from someone with access to your domain's private key, and it proves the email body and key headers weren't modified after sending. If an attacker intercepts and changes the message, the DKIM signature breaks.

DKIM records are published as TXT records at a selector-specific subdomain, like google._domainkey.yourdomain.com. Each email service you use typically has its own DKIM selector.

Common DKIM problems: not enabling DKIM signing in your email provider's settings, using weak key lengths (512-bit keys are crackable, so use 2048-bit), or having stale keys from a provider you no longer use. Check your DKIM setup with our DKIM checker.

DMARC: The Policy That Ties It All Together

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the layer that makes SPF and DKIM actionable. On its own, a failed SPF or DKIM check doesn't necessarily mean the email gets blocked; the receiving server decides. DMARC changes that by publishing a clear policy.

DMARC adds two critical things:

• Alignment: It requires that the domain passing SPF or DKIM matches the From header domain. This prevents attackers from passing SPF with their own domain while spoofing yours in the visible From field.
• Policy enforcement: It tells receivers exactly what to do with failing messages: deliver (p=none), quarantine (p=quarantine), or reject (p=reject).

A DMARC record also configures reporting, so you receive daily aggregate reports about every email sent using your domain, both legitimate and fraudulent. This visibility is invaluable for identifying misconfigured services and active spoofing attacks. Use our DMARC checker to see your current policy and reporting status.

How SPF, DKIM, and DMARC Work Together

Here's what happens when someone receives an email that claims to be from your domain:

1. SPF check: The receiving server looks up your SPF record and checks whether the sending server's IP is authorized. Result: pass or fail.
2. DKIM check: The receiving server retrieves your DKIM public key from DNS and verifies the signature in the email header. Result: pass or fail.
3. DMARC alignment: DMARC checks whether the domain that passed SPF or DKIM matches the From header domain. This is the alignment step, the key mechanism that prevents attackers from passing SPF with their own domain while showing your domain in the From field.
4. Policy enforcement: If neither SPF nor DKIM passes with alignment, the receiving server applies your DMARC policy: deliver anyway (none), send to spam (quarantine), or reject the message entirely.

The key insight: DMARC only needs one of SPF or DKIM to pass with alignment. But having both gives you redundancy. SPF breaks when emails are forwarded (the forwarding server's IP won't be in your SPF record). DKIM survives forwarding because the signature travels with the message. Together, they cover each other's weaknesses.

What Goes Wrong Without All Three

Each missing protocol creates a specific vulnerability:

• No SPF: Any server in the world can send email claiming to be from your domain, and there's no DNS-level way for receivers to know it's unauthorized.
• No DKIM: You can't prove your emails haven't been modified in transit. Forwarded emails have no authentication path since SPF breaks on forwarding.
• No DMARC: Even if SPF or DKIM fail, there's no policy telling receivers what to do — they'll often deliver the message anyway. And you get no reports about who's spoofing your domain.
• SPF + DKIM but no DMARC: Authentication exists, but there's no enforcement. An attacker can fail both SPF and DKIM, and the email might still be delivered. No alignment check means sophisticated spoofing attacks succeed.

How to Check SPF, DKIM, and DMARC Together

You can check each protocol individually with our dedicated tools:

• SPF Checker, which validates your SPF record, counts DNS lookups, and checks mechanisms
• DKIM Checker, which verifies your DKIM public keys and signature configuration
• DMARC Checker, which analyzes your DMARC policy, alignment, and reporting setup

Or, run a full domain security scan to check all three simultaneously, along with SSL/TLS, DNSSEC, and security headers. The scan takes seconds and gives you a complete picture of your domain's security posture.

Quick Setup Checklist

If you're starting from scratch, here's the order to set things up:

1. Set up SPF first. List all your legitimate sending services (email provider, marketing platform, CRM, transactional email service) in a single TXT record. Stay under 10 DNS lookups.
2. Enable DKIM on all sending services. Most providers (Google Workspace, Microsoft 365, SendGrid, Mailchimp) have DKIM setup in their admin console. You'll typically need to add a CNAME or TXT record to your DNS.
3. Publish a DMARC record. Start with p=none and include a reporting address. Monitor for 2–4 weeks, then move to p=quarantine and finally p=reject.
4. Verify everything. Run a scan to confirm all three records are properly configured and aligned.

Frequently Asked Questions

Do I need SPF, DKIM, and DMARC, or is one enough?

You need all three. SPF verifies which servers can send email for your domain. DKIM cryptographically signs messages to prove they haven't been tampered with. DMARC ties them together by enforcing alignment and defining a policy for failed messages. Each protocol covers a different attack vector, and using only one or two leaves gaps that attackers can exploit.

Can I check SPF, DKIM, and DMARC all at once?

Yes. Domain Security Scanner lets you check all three records in a single scan. Enter your domain and get instant results for SPF, DKIM, DMARC, plus SSL, DNSSEC, and security headers. You can also check each protocol individually using our dedicated SPF checker, DKIM checker, and DMARC checker tools.

What happens if SPF passes but DKIM fails?

If SPF passes with alignment, the email can still pass DMARC even if DKIM fails, since DMARC requires only one of the two to pass with alignment. However, having only SPF means messages that are forwarded will likely fail (forwarding breaks SPF). Best practice is to have both SPF and DKIM passing so you have redundancy.

Test Your Email Authentication Now

Don't leave gaps in your email security. Check all three protocols in one scan and get specific recommendations for each one.

→ Run a full domain security scan for SPF, DKIM, DMARC, SSL, DNSSEC, and security headers in seconds.