Skip to content
free tool · no signup · no logs

SPF · DKIM · DMARC
validated in 3 seconds.

Enter your sending domain. We pull the SPF, DKIM and DMARC records from DNS, parse each one, and tell you exactly what works, what's missing, and what's misaligned, with the specific fix for each issue.

# We do not store queries, do not log domains, do not require an account. DNS resolution happens server-side; the result is rendered in your browser only.

# Awaiting input…

why these three records matter

SPF, DKIM and DMARC explained.

SPF

Sender Policy Framework

A TXT record on your domain listing the IP addresses authorised to send mail. Receivers check the connecting IP against this list. Failing SPF means receivers either downgrade the message or apply DMARC's failure policy.

  • Maximum 10 DNS lookups (mechanism + redirect + include resolution)
  • Use -all (hard fail) over ~all (soft fail) in production
  • Each include: chain counts toward the 10-lookup limit
DKIM

DomainKeys Identified Mail

A cryptographic signature on every outgoing message. Receivers fetch your public key from DNS and verify the signature matches the message body and headers as sent. Tampering breaks the signature instantly.

  • Use 2048-bit RSA keys (1024-bit is now considered weak)
  • Rotate selectors quarterly with a 14-day overlap period
  • Sign at least: From, To, Subject, Date, Message-ID
DMARC

Domain-based Authentication

Builds on SPF and DKIM. Tells receivers what to do with messages that fail authentication, and how to report failures back to you. The most consequential record for sender reputation.

  • Start at p=none for visibility, ramp to p=quarantine
  • Reach p=reject within 60-90 days for credible domains
  • Always include rua= for aggregate reports

We configure SPF, DKIM, MTA-STS, TLS-RPT, BIMI and DMARC enforcement for every customer at provisioning time. If your validator results show gaps, we can take them from misaligned to inbox-ready.

Talk to us on Telegram See SMTP Relay tiers
how to read the validation output

What each result line means and what to do about it.

The validator returns three blocks: SPF, DKIM, and DMARC. Each block has a status pill (pass, warn, or fail), a parsed record breakdown, and specific findings if anything looks off. Here's what to look at first in each block, and what each common finding actually means for your deliverability.

SPF block: lookup count is the trap.

SPF rules cap the number of DNS lookups during evaluation at 10. This includes every include:, a, mx, ptr, and exists: mechanism, plus any nested lookups they trigger. A record that looks short can blow past 10 if your includes chain into more includes; some ESPs (notably older Mailchimp configurations and some Microsoft 365 setups) are known offenders. If the validator shows your record exceeding 10, receivers will return PermError and DMARC will treat SPF as failed regardless of whether the sending IP is actually in the chain.

The fix is flattening: replace include: mechanisms with the IP ranges they resolve to, eliminating the lookup. Flattening creates a maintenance burden (when your ESP rotates IPs, your flat record breaks), so use flattening services that re-resolve and update DNS daily, or only flatten the includes that haven't changed in 12+ months.

~all (soft fail) versus -all (hard fail) is the second SPF judgment call. Hard fail tells receivers to reject mail from IPs not on the list; soft fail asks them to mark it suspicious. In production we recommend -all once you're confident your record covers all legitimate sending sources. ~all is appropriate during initial deployment when you're not yet sure you've enumerated every sender.

DKIM block: selector availability and key length.

DKIM is selector-scoped. The validator checks selectors common in the wild (default, google, k1, s1, mailo, selector1/2 for Microsoft 365, dkim, mxvault, and others) plus any selector you specify. A missing selector record is not necessarily a failure; it just means that selector isn't being used. A failure is when a selector record exists but is malformed (broken base64, missing p= tag, unsupported algorithm).

Key length below 1024 bits is now considered weak; below 768 bits, receivers may ignore the signature entirely. We recommend 2048-bit RSA keys for new deployments. If your validator shows 1024-bit keys, it's not an immediate failure but should be on your rotation schedule.

DMARC block: policy alignment and reporting.

DMARC requires either SPF or DKIM to pass with the result aligned to the From: header domain. Alignment is the subtle part: SPF can pass on the envelope sender domain but fail alignment if your envelope sender uses a different domain than the From: header. ESPs sometimes send via bounce.example.net while messages appear to come from example.com, breaking alignment unless the ESP signs with DKIM aligned to example.com.

DMARC policy progression: p=none for monitoring, p=quarantine for soft enforcement, p=reject for full enforcement. Don't jump to p=reject without first running p=none with reporting (rua= tag) for at least 14-30 days; reports will show legitimate senders you didn't know about and your p=reject would have blocked them.

common findings and fixes

What we see most often when running this against real domains.

WARN

SPF record exceeds 10 DNS lookups

Most common finding by a wide margin. Usually caused by chained include: mechanisms from multiple ESPs. Fix: flatten the largest include (typically the ESP that hasn't changed IPs in years) to direct ip4: ranges, or audit which includes are still needed and remove ones for ESPs you no longer use.

FAIL

DMARC at p=reject without prior monitoring

Setting p=reject immediately without running p=none with reports first is risky. Legitimate senders you didn't know about (third-party transactional systems, internal forwards from on-prem mail servers, marketing automation tools sending notifications) get rejected silently. Fix: roll back to p=none with rua= reporting for 14-30 days, audit the report data, authorize legitimate senders, then progress through p=quarantine to p=reject.

WARN

DKIM selector found but key is 1024-bit RSA

1024-bit keys still pass at major receivers but are on most receivers' deprecation lists. Some receivers (notably Yahoo and some smaller European providers) have begun applying lower trust scores to 1024-bit DKIM. Fix: schedule a rotation to 2048-bit, with a 14-day overlap period where both selectors are valid. See our DKIM rotation service if you want this handled without engineering effort.

FAIL

DMARC alignment broken: SPF passes but on different domain

Your envelope sender domain (typically the bounce domain) doesn't match your From: header domain. SPF evaluates against envelope sender; DMARC needs that evaluation to match the From: domain. Common cause: ESP uses their own bounce domain for VERP processing without DKIM-signing aligned to your From: domain. Fix: ensure DKIM signs with your domain (most ESPs support custom DKIM signing); alternatively, configure your ESP to use a bounce subdomain of your own domain (bounce.yourbrand.com).

WARN

SPF uses ~all (soft fail) in production

Not strictly wrong, but soft fail asks receivers to mark suspicious mail rather than reject it. For production sending where you've enumerated all authorized senders, -all (hard fail) provides stronger protection against spoofing. Fix: transition to -all after running ~all with DMARC reporting for at least 14 days to confirm your record covers all legitimate senders.

FAIL

DMARC record missing entirely

No DMARC TXT record at _dmarc.yourdomain.com. Beginning February 2024, Gmail and Yahoo require DMARC for bulk senders (5K+ daily messages); volumes below that threshold are not strictly required to publish DMARC but are increasingly penalized in inbox placement. Fix: publish minimum DMARC at p=none with rua= reporting address; this satisfies the requirement while you evaluate enforcement progression.

2026 enforcement at Gmail and Microsoft

What authentication actually has to do in 2026.

Gmail moved from soft enforcement to outright SMTP-level rejection in November 2025 for bulk senders (5,000+ daily to personal Gmail accounts) who fail authentication. Microsoft completed equivalent enforcement on April 30, 2026 with 550 5.7.515 rejections on non-compliant bulk mail to consumer Outlook properties. The enforcement is binary: pass authentication and your mail is evaluated for inbox placement, fail authentication and your mail gets rejected at SMTP time without reaching the receiver in any retrievable form.

The specific requirements for compliance: SPF record published with all sending infrastructure authorised either through ip4/ip6 mechanisms or through include directives, DKIM signing on every message with 2048-bit RSA keys, DMARC record published with at minimum p=quarantine and ideally p=reject, aligned identifiers between the From header domain and at least one of the SPF authentication domain or DKIM signing domain. The validator on this page checks all of these and identifies the specific issue when any fail.

For bulk senders specifically, the additional 2026 requirements include one-click unsubscribe header (List-Unsubscribe with HTTP-based List-Unsubscribe-Post for one-click action), functional unsubscribe processing within 48 hours of request, and complaint rate sustained below 0.3% with 0.1% as a target. The complaint rate is monitored by receivers through their feedback loop programs and is enforced separately from authentication; even authenticated senders get throttled or rejected for sustained complaint rates above the threshold.

The transition from p=none to p=quarantine to p=reject should follow a measured ramp. Most operators that we work with complete the ramp in 60-120 days from initial DMARC deployment: 30 days at p=none with monitoring, 30-45 days at p=quarantine pct=25 ramping to pct=100, then transition to p=reject once the receivers report no significant volume of legitimate mail being affected by the policy. The ramp matters because aggressive DMARC policies can break legitimate mail flows from third-party services (CRM platforms, transactional email vendors, internal forwarding) that the operator did not initially know were sending under their domain.

DMARC aggregate reporting

How to actually use the rua reports that arrive every day.

DMARC aggregate reports (the rua reports) are sent daily by major receivers to the mailbox specified in the rua tag of your DMARC record. The reports arrive as XML attachments documenting all the mail that receivers observed claiming to be from your domain during the previous 24-hour window, including authentication results for each source.

For domains starting from p=none, the first 14-30 days of reports typically reveal more sending sources than the operator was aware of. Common surprises: third-party marketing platforms that the marketing team set up without informing IT, transactional email vendors (Postmark, Mailgun, SendGrid) that legacy applications were configured to use, CRM platforms with built-in email functionality, internal forwarding from satellite-office mail servers, customer-service desk tools that send notification emails. Each of these needs either explicit authorisation in SPF/DKIM or migration to authorised infrastructure before DMARC can move to p=quarantine without affecting legitimate mail.

The processing pattern that most operators settle on: aggregate reports flow to a dedicated mailbox, automated parsing runs daily (DMARC XML is well-documented; many open-source tools exist), the parsed data flows into a dashboard showing pass/fail rates per source and over time. Trends matter more than individual reports: a single failure event is often noise (a misconfigured forwarder, a transient DNS issue, a one-off transactional mail problem); sustained failures from a specific source indicate a real configuration issue that needs to be addressed before DMARC enforcement increases.

For operators without dedicated DMARC tooling, the minimum viable processing is forwarding the reports to one of the commercial DMARC dashboards (DMARC Analyzer, Valimail, Dmarcian, Postmark) that handle parsing and dashboard rendering. These cost USD 50-500 monthly depending on volume and feature requirements. For operators with engineering capacity, self-hosted parsing (such as ParseDMARC, the open-source DMARC tool from DomainTools) is operationally cheap and produces equivalent visibility. The choice typically comes down to whether the operator prefers a managed service or a self-hosted pipeline; both produce the same outcome for most operational use cases.

questions we get about this tool

Frequently asked.

Why does my SPF record show 11 lookups when I count only 6 includes?

Each include: mechanism resolves recursively; if the included record itself contains includes, those count too. A common culprit: ESPs whose SPF includes chain to the ESP's underlying infrastructure providers, which themselves chain to CDN providers. Six visible includes can produce 12-15 actual lookups. The validator counts the recursive total, not the visible count.

I see DKIM passing in the validator but failing at Gmail. Why?

Most common cause: signature canonicalization mismatch. DKIM specifies how the signing process handles header and body whitespace; receivers use the same canonicalization to verify. If your signing process uses simple canonicalization but headers get rewritten in transit (mailing lists, forwards, anti-virus scanners modifying headers), the signature breaks. Use relaxed/relaxed canonicalization for both header and body to tolerate normal in-transit modifications.

Should I use DMARC p=reject or p=quarantine?

p=reject provides stronger protection but requires high confidence that all legitimate senders are authorized. p=quarantine sends unauthorized mail to spam folders rather than blocking; recipients can still recover legitimate mail incorrectly quarantined. We recommend progressing none → quarantine → reject across 60-90 days, monitoring reports at each stage. Stay at quarantine if your environment includes unpredictable forward paths (academic institutions, mailing list subscribers).

What's the difference between sp= and p= in DMARC?

p= applies to the organizational domain (example.com); sp= applies to subdomains (mail.example.com, news.example.com). If sp= is absent, subdomains inherit the p= policy. Common pattern: p=reject on apex while sp=quarantine on subdomains, allowing subdomain testing without breaking apex enforcement.

Do I need BIMI before DMARC enforcement?

BIMI requires DMARC at p=quarantine or p=reject. So DMARC enforcement is prerequisite to BIMI eligibility, not the reverse. BIMI does not contribute to deliverability directly; it adds visual brand display in supporting mail clients (Gmail with VMC, Yahoo, Apple Mail). Use our BIMI eligibility checker for full prerequisite review.

How often should I rotate DKIM keys?

Quarterly rotation is industry best practice; six-month rotation acceptable for lower-volume operations. A compromised key (extremely rare in normal operations but possible if private keys leak) requires immediate rotation. The rotation process needs a 14-day overlap where both old and new selectors are valid in DNS, allowing in-flight mail signed with the old selector to verify until it's clear of the queue.