Authentication Dashboard
Is Your Email Authenticated?
Enter your domain. We'll check SPF, DKIM, and DMARC via live DNS lookup — no guessing, no self-reporting. Plain-English results with copy-paste fix instructions.
How this check works
Live DNS lookups — we query Google's public DNS (dns.google) for your domain's TXT, CNAME, and MX records in real time. No caching, no stale data.
SPF check — we look for a valid v=spf1 record, count DNS lookups (limit is 10), and verify the 'all' mechanism.
DKIM check — we probe 20 common DKIM selectors (google, selector1, default, k1, mlsend, etc.). If your ESP uses a non-standard selector, it may show as "not found" even if DKIM is configured.
DMARC check — we look up _dmarc.yourdomain.com and parse the policy (none, quarantine, reject) and reporting configuration.
ESP detection — we identify your email service provider from SPF includes and MX records, then link to our review so you can see how it scores.
Frequently asked questions
What is SPF and why does it matter for email?
SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. Without it, anyone can forge emails that appear to come from your domain — and spam filters know this. Gmail, Yahoo, and Microsoft all check SPF. If your record is missing or misconfigured, your marketing emails are more likely to land in spam.
What is DKIM and how do I set it up?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key in your DNS to verify the email wasn't tampered with in transit. Your ESP generates the DKIM key — you add it as a TXT record in your DNS. Most ESPs (Mailchimp, MailerLite, ActiveCampaign) walk you through this during domain verification.
What is DMARC and do I need it?
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when an email fails SPF or DKIM: do nothing (p=none), quarantine it (p=quarantine), or reject it (p=reject). As of February 2024, Gmail and Yahoo require DMARC for bulk senders (5,000+ emails/day). Even if you send less, DMARC protects your domain from spoofing and improves deliverability.
What DMARC policy should I use?
Start with p=none to monitor without affecting delivery: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. After 2-4 weeks of monitoring reports, tighten to p=quarantine. Once you're confident all legitimate email passes, move to p=reject. Going straight to p=reject without monitoring can block legitimate emails from third-party tools you forgot about.
Does my email platform handle authentication automatically?
Partially. Most ESPs handle DKIM signing automatically once you add their DNS records. SPF usually requires adding the ESP's include directive to your existing SPF record. DMARC is entirely your responsibility — no ESP sets it up for you. ActiveCampaign, MailerLite, and Mailchimp all provide setup guides, but you still need DNS access to implement the records.
Why are my emails going to spam even with authentication?
Authentication (SPF/DKIM/DMARC) is necessary but not sufficient. Three other factors affect deliverability: (1) sender reputation — if your domain or IP has a history of spam complaints, authentication won't fix it. (2) Content quality — spam trigger words, excessive images, or deceptive formatting. (3) Engagement — Gmail and Outlook track whether recipients open, click, or mark your emails as spam. Low engagement signals poor content, regardless of authentication.
How do I check if my SPF record is correct?
Enter your domain above — we'll look up your SPF record and check for common issues: missing ESP includes, too many DNS lookups (SPF has a 10-lookup limit), and conflicting records. The most common mistake is having multiple SPF records (you should have exactly one, with all authorized senders included via the 'include:' mechanism).
What is BIMI and should I set it up?
BIMI (Brand Indicators for Message Identification) displays your brand logo next to your emails in supporting clients (Gmail, Yahoo). It requires DMARC with p=quarantine or p=reject, plus a Verified Mark Certificate ($1,000+/year). For most small businesses, BIMI is a nice-to-have, not a priority. Get SPF, DKIM, and DMARC right first.