📧

SPF, DKIM & DMARC Record Checker

Paste an SPF, DKIM or DMARC TXT record and get a syntax check with plain-English explanations of every part — no DNS query, nothing leaves your browser.

Record Input

About the Email DNS Record Checker

SPF, DKIM and DMARC are the three DNS records that decide whether your organisation’s email lands in the inbox or in spam — and whether criminals can spoof your domain. SPF lists which servers may send mail for the domain, DKIM publishes the public key used to verify message signatures, and DMARC tells receivers what to do when a message fails those checks. A single typo in any of them can silently break mail delivery, so it pays to validate the syntax before publishing.

This tool checks structure and syntax entirely in your browser: it tokenises the record, explains each mechanism or tag in plain English, counts SPF DNS lookups against the 10-lookup limit, and flags the classic mistakes such as +all, a missing p= tag in DMARC, or an empty DKIM key. It does not perform live DNS queries — pair it with your DNS host’s console or nslookup -type=txt yourdomain.com to fetch the record first.

How to Use This Tool

1
Pick the record type — SPF, DKIM or DMARC — using the tabs.
2
Paste the TXT record value from your DNS zone, or click Load Example to see a healthy record first.
3
Click Check Record: the tool validates the syntax and lists every mechanism or tag with a plain-English explanation.
4
Fix any flagged issue in your DNS zone, wait for the TTL to expire, then re-check the updated value here before testing real mail flow.

Common Use Cases

  • 📬
    "Our emails go to spam." The classic small-business ticket. Check all three records — a missing DMARC or an SPF with too many lookups is usually the culprit.
  • 🔄
    Migrating email providers. Moving to or from Microsoft 365 or Google Workspace means rewriting SPF includes and DKIM selectors; validate the new values before cutover day.
  • 🛡️
    Phishing protection rollout. Walk DMARC policy from p=none to quarantine to reject, checking the syntax at every step so a typo doesn't reject your own mail.
  • Adding a sending service. New CRM, invoicing or newsletter platform? Verify the extended SPF record still passes syntax and stays under the 10-lookup limit.
  • 🔍
    Auditing a domain you've inherited. Paste whatever is currently in the zone to get an instant, readable picture of the email posture a previous admin left behind.

Where These Records Live

  • 📄
    SPF: TXT record on the bare domain, e.g. example.com. Only one SPF record is allowed per domain.
  • 🔑
    DKIM: TXT record at selector._domainkey.example.com — the selector name comes from your mail provider.
  • 🛡️
    DMARC: TXT record at _dmarc.example.com, referencing the SPF/DKIM results.
  • 🔍
    Fetch them: nslookup -type=txt _dmarc.example.com or your DNS provider’s dashboard.

Frequently Asked Questions

What is the SPF 10-DNS-lookup limit and why does it matter?
Receiving servers stop evaluating SPF after 10 DNS lookups; every include:, a, mx and redirect costs one. Go over and your record returns permerror — effectively no SPF at all. Nested includes from SaaS providers eat the budget fast, which is why this checker counts them.
Do I need DKIM if SPF already passes?
Yes. SPF breaks on forwarded mail and validates the envelope sender, not the visible From header. DKIM survives forwarding and cryptographically ties the message to your domain — and DMARC needs at least one of the two aligned to pass. Deploy both.
Why does SPF have a 10-lookup limit?
Each include, a, mx, ptr, exists and redirect forces the receiving server to do another DNS query. More than 10 returns a permanent error (permerror) and many receivers then ignore your SPF entirely. Flatten includes or remove unused vendors to stay under the limit.
Should I use -all or ~all?
~all (softfail) is a safe starting point while you confirm every legitimate sender is listed. Move to -all (hardfail) once DMARC reports show no legitimate mail failing. Never use +all — it authorises the whole internet to send as your domain.
What DMARC policy should I start with?
Start with p=none plus a rua= reporting address, watch reports for a few weeks, then step up to p=quarantine and finally p=reject once all legitimate mail sources pass SPF or DKIM alignment.