IP Network IconIP.network

Email Authentication

SPF / DKIM / DMARC Analyzer

Look up and analyze SPF, DMARC, and DKIM records so mail policy problems show up before they become deliverability or spoofing incidents.

SPF Policy Review

Shows mechanisms, DNS lookup count, and risky patterns such as +all.

DMARC Posture

Explains whether the domain is in monitoring, quarantine, or reject mode.

DKIM Selector Checks

Looks up specific selectors and estimates public key strength when possible.

Examples

Selectors are optional. If you know your DKIM selector names, add them as comma-separated values.

Enter a domain and optional DKIM selectors to analyze SPF, DMARC, and DKIM records.

Why this matters

Email authentication is where spoofing resistance, deliverability, and incident visibility all meet.

Most common miss

Teams often publish SPF and DKIM but leave DMARC at p=none for too long, which limits enforcement.

Operational payoff

A single analyzer makes it easier to review mail posture during migrations, audits, and on-call debugging.

About This Tool

The SPF / DKIM / DMARC Analyzer queries a domain’s TXT-based mail authentication records and turns them into operational guidance. SPF shows who may send, DKIM proves message integrity with a selector-specific key, and DMARC defines policy and reporting on top of both. This tool is useful during mail platform migrations, third-party sender onboarding, phishing hardening, and incident reviews where you need one place to assess mail posture quickly. It also works well as an SEO landing page because admins often search for discrete problems like SPF lookup limits, DMARC p=none meaning, or DKIM selector validation.

How to Use

  1. Enter the domain you want to inspect.
  2. Add one or more DKIM selectors if you know them.
  3. Run the analyzer and review SPF, DMARC, and DKIM sections separately.
  4. Use the warnings to spot weak policy, missing records, or likely deployment issues.
  5. Adjust DNS or provider settings before moving the domain into stricter mail enforcement.

Features

  • Queries real DNS TXT records for SPF and DMARC
  • Supports multiple DKIM selectors per lookup
  • Estimates SPF DNS lookup pressure
  • Explains DMARC policy and reporting tags
  • Estimates DKIM key length when public key material is present

Common Use Cases

  • Auditing a domain before enabling DMARC enforcement
  • Reviewing third-party sender onboarding
  • Troubleshooting deliverability and spoofing complaints
  • Checking DKIM selectors after provider migrations
  • Documenting mail security posture during security reviews

Technical Details

SPF, DKIM, and DMARC each solve a different part of the mail authentication problem.

  • SPF is published at the root domain and tells receivers which senders are authorized.
  • DMARC is published at _dmarc.domain and tells receivers what to do when SPF or DKIM alignment fails.
  • DKIM publishes selector-specific TXT records under selector._domainkey.domain.

This analyzer does not recursively validate every external include chain, but it provides a strong first-pass operational review of what is visible in DNS.

Email Auth FAQ

Do I need all three: SPF, DKIM, and DMARC?

For modern production mail, yes. SPF and DKIM provide signals, and DMARC tells receivers how to enforce them.

Why does SPF care about DNS lookup count?

SPF evaluation is limited to 10 DNS lookups. Large include chains can break policy evaluation.

What if I do not know the DKIM selector?

You can still analyze SPF and DMARC. DKIM needs one or more known selector names to query.

Is p=none wrong?

Not always. It is useful for staged rollout, but it should usually progress toward quarantine or reject once reporting is understood.

Related DNS Tools

DNS Lookup
Query A, AAAA, MX, NS, TXT records.
CAA Validator
Validate and generate CAA records.
Record Validator
A/AAAA/CNAME/MX/TXT/SRV.