All-in-One Email Authentication Checker
Check SPF, DKIM, and DMARC DNS records for any domain in seconds. Powered by Google DNS — free, unlimited, no signup required.
Try it out — leadfindy.com is pre-filled. Just click "Check Domain".
We couldn't reach the DNS resolver. This usually means a network block, ad-blocker, or strict site Content Security Policy is preventing access to dns.google and cloudflare-dns.com.
SPF Record
—
DKIM Record
—
DMARC Record
—
MX Record
—
Recommendations
Compliance Checklist
What Is an Email Authentication Checker and Why You Need One
An email authentication checker is a DNS diagnostic tool that inspects your domain's SPF, DKIM, and DMARC records to verify that your email infrastructure is properly configured. When you send cold emails or marketing campaigns, receiving servers like Gmail, Outlook, and Yahoo check these records to decide whether your message belongs in the inbox or the spam folder.
Without proper authentication, even the best-written cold emails land in spam — or get rejected entirely. For B2B sales teams, SDRs, and email marketers, this means lost opportunities, wasted effort, and damaged sender reputation. Our free tool checks all four critical DNS record types — SPF, DKIM, DMARC, and MX — in a single lookup, giving you an instant health report with actionable recommendations. Pair the results with our email copy analyzer, spam words checker, and subject line tester for a complete deliverability pre-flight.
Whether you're launching a new outreach domain, troubleshooting deliverability drops, or auditing your email stack before a campaign, this tool gives you the visibility you need to protect your sender reputation and maximize inbox placement rates.
Data sources, methodology & privacy
- DNS-over-HTTPS: queries hit Google Public DNS (
dns.google) first, with automatic fallback to Cloudflare (cloudflare-dns.com) if Google is blocked or slow. - Real-time, live records: nothing is cached on our side. Each check reads the same DNS records receiving mail servers see.
- DKIM selector coverage: probes 12+ common selectors —
default,google,selector1,selector2,k1,mandrill,smtpapi,s1,mail,dkim,zoho,mxvault. - Scoring rubric: Pass / Warning / Fail follow IETF RFC 7208 (SPF), RFC 6376 (DKIM), and RFC 7489 (DMARC), plus current Google and Yahoo bulk-sender guidelines.
- Privacy: the tool runs entirely client-side. Domains you check go directly from your browser to the DNS resolver — never to LeadFindy servers. Nothing is logged or stored.
- Accuracy caveat: DKIM uses domain-specific selectors. If your provider uses a custom selector outside our probe list, DKIM may report "not found" even when configured — use
digor your DNS console to confirm.
How to Use the Email Authentication Checker
Run a complete DNS authentication audit in under 30 seconds. No technical skills required.
Enter your domain
Type any domain name into the input field above. For example, leadfindy.com is pre-filled. No need to include "https://" — just the domain.
Click "Check Domain"
Hit the blue button or press Enter on your keyboard. The tool instantly queries Google's public DNS resolver to fetch your domain's SPF, DKIM, DMARC, and MX records.
Review your results
See color-coded Pass / Warning / Fail status for each record type. Each card shows the raw DNS record, metadata, and a detailed explanation.
Follow recommendations
Scroll to the Recommendations and Compliance Checklist sections. Each issue includes a clear explanation and actionable next step to fix your setup.
Why Email Authentication Matters
SPF, DKIM, and DMARC are the foundation of email deliverability. Here's what they do and why you need all three.
SPF
Sender Policy Framework — declares which mail servers are authorized to send email on behalf of your domain. Without SPF, spammers can forge your domain and receivers are more likely to flag your legitimate emails as suspicious.
DKIM
DomainKeys Identified Mail — adds a digital signature to every outgoing email. Receiving servers verify this signature against a public key in your DNS. A valid DKIM signature proves the email wasn't tampered with in transit.
DMARC
Domain-based Message Authentication — tells receiving servers what to do when SPF or DKIM checks fail: reject, quarantine, or allow. A p=reject policy is the gold standard for domain protection and deliverability.
MX Record
MX records specify the mail servers that accept incoming email for your domain. While not an authentication protocol, correct MX setup ensures you actually receive replies from your outbound campaigns.
Why Email Authentication Drives Revenue
Proper authentication isn't just technical hygiene — it directly affects your bottom line. Here's how.
Higher inbox placement
Domains with valid SPF, DKIM, and DMARC (p=reject) see 95%+ inbox placement versus 50–70% for unauthenticated senders. Every point of deliverability translates into more replies, meetings, and revenue.
Domain reputation protection
DMARC with p=reject prevents spoofers from using your domain in phishing attacks. Without it, your domain can be forged — damaging trust with prospects and causing blacklisting that takes months to reverse.
Scalable outreach operations
When you scale cold email from 50 to 5,000 sends per day, authentication becomes non-negotiable. ESPs like Gmail and Microsoft use DMARC reports to determine bulk sender reputation. A clean auth setup is your foundation for sustainable growth.
Compliance with provider requirements
Google and Yahoo now require DMARC authentication for high-volume senders. Failure to comply means automatic rejection or spam classification. Regular auth checks keep you compliant with evolving requirements.
Email Authentication Best Practices
Follow these expert guidelines to maximize deliverability and protect your sender reputation.
Use a strict SPF policy
Set your SPF record to end with -all (hard fail) rather than ~all. This tells receiving servers to reject email from unauthorized sources. Many providers treat ~all similarly to no SPF at all.
Use dedicated DKIM selectors
Use a unique DKIM selector for each email provider you send through. If you use Outreach, SalesLoft, or Mailgun, each should have its own selector. This makes it easier to rotate keys and troubleshoot.
Progress DMARC: none → reject
Start with p=none to monitor sending sources without impacting delivery. After 2–4 weeks of analyzing reports, move to p=quarantine, then p=reject once legitimate sources are authenticated.
Monitor authentication weekly
DNS records can drift — team members may modify SPF, or your provider might rotate DKIM keys. Run this checker weekly and after any infrastructure change to catch issues before they affect deliverability.
Stay under the SPF 10-lookup limit
SPF has a hard limit of 10 DNS lookups. Each include: counts as one. Use an SPF flattener if approaching the limit — exceeding it causes permerror and automatic authentication failure.
Add BIMI for visual authentication
Once DMARC is at p=reject, add a BIMI record to display your brand logo next to emails in supported clients. This boosts trust and recognition with recipients, increasing engagement rates.
Common Email Authentication Mistakes
Even experienced email marketers make these errors. Avoid them to keep your campaigns running smoothly.
Using p=none indefinitely
Many domain owners publish a DMARC record with p=none and never upgrade. p=none provides zero protection — it only monitors. Without enforcement, spammers can still forge your domain.
Consequence: Your domain remains vulnerable to spoofing, and some providers may still penalize unauthenticated email.
Mixing multiple SPF records
DNS allows multiple TXT records, but when multiple SPF records exist, receiving servers may reject the SPF check entirely. You should have exactly one SPF record per domain.
Consequence: SPF authentication fails for all email, causing widespread deliverability issues.
Forgetting DKIM after provider changes
When you switch email providers or rotate DKIM keys, the old public key in your DNS becomes invalid. If you don't update the DKIM record, all email will fail DKIM verification.
Consequence: Broken DKIM can tank inbox placement overnight, often going unnoticed for days.
Exceeding the SPF 10-lookup limit
Adding multiple ESP includes (Google, Salesforce, Mailchimp, etc.) can quickly exceed SPF's 10-DNS-lookup limit, causing permerror and authentication failure.
Consequence: Receiving servers cannot determine authorization, often defaulting to hard fail.
Not monitoring DMARC reports
DMARC generates daily XML reports showing who sent email from your domain. Ignoring these means missing unauthorized sending sources and losing visibility into your email ecosystem.
Consequence: You can't confidently move from p=none to p=reject without reviewing DMARC data.
Ignoring subdomain authentication
If you send from mail.yourdomain.com or use subdomains for different campaigns, each needs its own SPF and DMARC configuration.
Consequence: Email from subdomains fails authentication, damaging the reputation of your entire domain.
Who Should Use the Authentication Checker
This tool is designed for anyone who sends email professionally and cares about landing in the inbox.
SDRs & sales teams
Verify your outreach domain is authenticated before launching sequences. Prevent cold emails from landing in spam.
Email marketers
Audit your sending infrastructure to maximize campaign ROI. Every deliverability improvement directly increases leads.
B2B agencies
Manage multiple client domains and quickly diagnose authentication issues that could be hurting performance.
Founders & startup teams
Set up email infrastructure properly from day one. Avoid costly domain reputation damage before outreach begins.
Recruiters
High-volume sourcing emails need strong authentication to reach candidate inboxes. Check before sending at scale.
Freelancers & consultants
Protect your personal brand by ensuring your domain passes authentication checks before sending proposals.
Email Authentication Checker vs MXToolbox
Both tools query the same public DNS records — but the workflow, scoring, and integrations differ. Here is an honest, side-by-side comparison.
| Capability | LeadFindy Authentication Checker | MXToolbox SuperTool |
|---|---|---|
| SPF, DKIM, DMARC, MX in one click | Yes — all four checked in a single lookup with a unified scorecard. | No — each record type requires a separate tool selection. |
| Multi-selector DKIM probing | Yes — auto-probes 12+ selectors (default, google, selector1, selector2, k1, mandrill, smtpapi, s1, mail, dkim, zoho, mxvault). | Manual — you must enter the selector yourself. |
| Free & unlimited usage | Yes — no signup, no rate limit on body checks. | Partial — free lookups limited; advanced monitoring is paid. |
| Built-in policy recommendations | Yes — actionable next steps for every Warn/Fail status. | Limited — raw results plus help links. |
| DoH fallback resolver | Yes — Google DNS with automatic Cloudflare failover. | N/A — server-side proprietary resolver. |
| Cold-email workflow integration | Yes — connects directly to copy analyzer, spam checker, and subject line tester. | No — deliverability tools, not outbound workflow. |
| Ongoing DMARC monitoring | No — on-demand audits only; pair with a DMARC reporting service. | Yes — paid plans aggregate DMARC RUA reports over time. |
| Best for | SDRs, agencies, founders, and growth teams launching or auditing outbound infrastructure. | Email administrators running long-term DMARC monitoring. |
Honest take: use this tool for fast, free, end-to-end audits before launching cold email sequences and to fix configuration drift. Use MXToolbox if you also need ongoing DMARC aggregate-report monitoring. The two are complementary — not mutually exclusive.
Email Authentication Statistics
The deliverability numbers that anchor our scoring model — drawn from public DMARC adoption studies, mailbox-provider guidelines, and aggregated B2B outbound campaign data.
Numbers move year-over-year as enforcement tightens. The directional takeaway is stable: most domains still under-enforce, most spoofing attacks target domains stuck at p=none, and inbox placement correlates strongly with full SPF + DKIM + DMARC p=reject alignment. Use this checker, then validate body copy with the email copy analyzer before scaling sends.
SPF Record Examples
Copy-ready Sender Policy Framework records for the most common B2B outbound stacks. Replace placeholders with your actual sending domain, then publish as a TXT record on the apex domain.
1. Google Workspace only — the cleanest single-provider SPF.
v=spf1 include:_spf.google.com -all
2. Microsoft 365 only.
v=spf1 include:spf.protection.outlook.com -all
3. Google Workspace + SendGrid (transactional).
v=spf1 include:_spf.google.com include:sendgrid.net -all
4. Multi-provider cold-email stack (Google + Mailgun + Instantly + a dedicated IP). Watch the 10-lookup limit closely with this many includes.
v=spf1 include:_spf.google.com include:mailgun.org include:_spf.instantly.ai ip4:198.51.100.42 -all
5. Subdomain pass-through — delegate SPF for mail.example.com to the apex.
v=spf1 redirect=example.com
Common mistakes to avoid: publishing two SPF records on the same name (RFC 7208 §3.2 — receivers reject), ending with ~all when you can safely use -all, and chaining so many include: tokens that you exceed the 10-lookup cap. Run the live checker above after every change. If you also want to score body copy before launching, jump to our cold email copy analyzer.
DKIM Explained With an Example
How DomainKeys Identified Mail proves an email was sent by your domain and was not modified in transit.
How it works. Your sending platform (Google Workspace, M365, SendGrid, etc.) generates an RSA key pair. The private key signs every outgoing message; the matching public key is published in your DNS at <selector>._domainkey.<your-domain>. Receivers fetch the public key and verify the signature. A pass means the message body and key headers were not altered after signing.
The DNS record looks like this (published at google._domainkey.example.com for a Google Workspace domain):
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrZF8xq3...IDAQAB
The email header that receivers verify looks like this (truncated):
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=google; h=from:to:subject:date:message-id; bh=2jU0+kqQ...HRz8=; b=Bv1QkpHpr8t9N...vK7e7w==
What each tag means. d= is the signing domain (must match the From for DMARC alignment), s= is the selector (this is the value our tool probes for), h= lists the signed headers, bh= is the body hash, and b= is the signature itself.
Practical tips: use 2,048-bit RSA keys (modern providers default to this); use a distinct selector per provider so you can rotate keys without breaking other senders; never share private keys across vendors. For end-to-end deliverability, also sanity-check your body copy and spam words before launch.
DMARC Policy Examples
Copy-ready DMARC records for every stage of the deployment journey, from monitoring to full enforcement. Publish as a TXT record at _dmarc.yourdomain.com.
Stage 1 — Monitoring (start here). Collect data without affecting delivery. Run this for 2–4 weeks while you fix every legitimate source that fails alignment.
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; fo=1
Stage 2 — Quarantine. Failing mail goes to spam instead of the inbox. A safe middle step before reject.
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@example.com
Stage 3 — Reject (gold standard). Failing mail is rejected outright. Required for top inbox placement and full spoofing protection.
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; adkim=s; aspf=s
Subdomain-specific policy. Use sp= to apply a different policy to subdomains. Useful when you want strict reject on the apex but quarantine while you migrate subdomains.
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@example.com
Key tags explained. p= is the apex policy, sp= is the subdomain policy, pct= rolls the policy out gradually (1–100%), rua= receives aggregate XML reports, ruf= receives forensic per-failure reports, and adkim=s / aspf=s require strict alignment between the signing/return-path domain and the From header. Combine this hardening with consistent send-time targeting for measurable reply-rate gains.
Common Deliverability Problems
Most cold-email pipeline pain traces back to a small set of fixable issues. Here are the patterns we see most often when auditing B2B outbound stacks — and the diagnostic that catches each one.
SPF permerror (10-lookup overflow)
Stacking include: tokens for many ESPs pushes SPF past the 10-lookup limit. Receivers return permerror and treat the message as unauthenticated.
Fix: flatten includes, remove unused vendors, or use a hosted SPF flattening service. Re-run the checker after each change.
DKIM/From misalignment
Mail is signed for d=esp.com but sent From you@example.com. DKIM verifies, but DMARC alignment fails — and DMARC is what actually drives the spam folder decision.
Fix: sign with your own domain. Every reputable provider supports custom DKIM signing — turn it on.
DMARC stuck at p=none forever
Owners publish p=none, never review the reports, and never upgrade. The domain remains spoofable and Gmail/Yahoo will not treat the sender as fully authenticated.
Fix: set a 4-week review cadence. Move to p=quarantine, then p=reject once legitimate sources align.
Cold domain sent at volume
A brand-new outbound domain hits 500 sends/day in the first week. Mailbox providers throttle aggressively — open rates collapse and replies disappear.
Fix: warm up gradually for 3–6 weeks; ramp daily volume by ~10%. The warmup calculator produces a per-day schedule.
Spam-trigger words in body copy
Even authenticated email lands in spam if the body is full of flagged words ("free", "guaranteed", "act now") or excessive exclamation marks.
Fix: run drafts through the spam words checker and the cold email copy analyzer before sending.
Weak subject lines killing open rates
Even with perfect authentication, generic or spammy subject lines collapse open rates. Authentication gets you to the inbox — the subject decides whether the email is read.
Fix: validate every subject line with the subject line tester before launching a sequence.
Frequently Asked Questions
Everything you need to know about email authentication checks and DNS record configuration.
An email authentication check queries your domain's DNS records to verify that SPF, DKIM, and DMARC records are properly configured. These protocols work together to prove to receiving mail servers (Gmail, Outlook, Yahoo) that your email is legitimate and not spam or phishing. Our tool performs all three checks plus MX record validation in a single lookup.
SPF authorizes which servers can send email for your domain. DKIM adds an encrypted signature to verify the email wasn't tampered with. DMARC tells receiving servers what to do if SPF or DKIM fails — reject, quarantine, or allow the message. Think of SPF as the ID check, DKIM as the tamper-proof seal, and DMARC as the security guard who enforces the rules.
p=reject is the most secure DMARC policy. It instructs receiving email servers to reject (bounce) any message that fails SPF or DKIM checks. This is the gold standard for domain protection and deliverability because it prevents spoofers from impersonating your domain and signals to email providers that you take authentication seriously.
Yes — our tool can check SPF, DKIM, DMARC, and MX records for any publicly accessible domain. Simply enter the domain name (e.g., leadfindy.com) and click "Check Domain". The tool uses Google's public DNS resolver to fetch the records, so no API keys or special permissions are required.
Several factors could cause this: your DMARC policy might be set to p=none (no enforcement), your SPF might use ~all instead of -all, your DKIM selector might not match your sending provider, your domain could have a poor sending reputation, or your email content might contain spam trigger words. Our tool checks the technical aspects — but content quality, engagement, and sending volume also affect placement.
We recommend running an authentication check at least once a week, and immediately after any changes to your email infrastructure — such as switching providers, adding new sending platforms, rotating DKIM keys, or modifying DNS records. Regular checks help catch configuration drift before it impacts deliverability.
-all (hard fail) tells receiving servers to reject email from any IP not listed in your SPF record. ~all (soft fail) marks unapproved email as suspicious but still delivers it. Many providers treat ~all similarly to no SPF at all. For cold email and B2B outreach, always use -all for maximum deliverability and security.
Absolutely. Email authentication is non-negotiable for cold email. Gmail, Outlook, and Yahoo now require SPF, DKIM, and DMARC for high-volume senders. Without proper authentication, your cold emails will land in spam at best, or be rejected entirely at worst. Authentication also protects your domain from being blacklisted, which can take months to recover from.
To fix a failed SPF record, create a TXT record in your DNS with v=spf1 include:_spf.yourprovider.com -all (replace with your provider's include). If you use multiple providers, chain them: v=spf1 include:spf.google.com include:sendgrid.net -all. Keep the total DNS lookups under 10. Use our tool to verify your fix after publishing.
No. The Email Authentication Checker runs entirely in your browser. DNS lookups go directly from your device to Google's public DNS resolver (dns.google). We do not store, log, or transmit your domain lookups to any server. Your searches are completely private and anonymous.
Explore the Full Cold Email Toolkit
Supercharge your outreach with these free companion tools from LeadFindy.
Email Copy Analyzer
Score your email across 6 dimensions.
OpenSubject Line Tester
Score & optimize subject lines.
OpenEmail Template Builder
Build high-converting templates.
OpenSend Time Optimizer
Find the best time to send emails.
OpenWarmup Calculator
Optimal daily warmup volumes.
OpenSpam Words Checker
Find and fix spam triggers.
OpenNeed Expert Help With Email Authentication & Deliverability?
We set up SPF, DKIM, DMARC, and full cold email infrastructure for B2B teams. Get a free audit — we'll check your setup and deliverability health.