What is an email authentication check?

An email authentication check verifies all three major email security protocols — SPF, DMARC, and DKIM — in a single scan. This comprehensive audit ensures your domain is protected against email spoofing and phishing attacks. DomainScan checks each protocol's configuration, validates alignment between them, and provides an overall email security score with specific improvement recommendations.

Why do I need SPF, DMARC, and DKIM together?

Each protocol covers a different aspect of email security. SPF verifies which servers can send email for your domain. DKIM cryptographically signs messages to prevent tampering. DMARC ties them together with a policy telling receivers what to do when checks fail. All three working together provide comprehensive protection against spoofing. Missing any one creates gaps that attackers can exploit.

FREE · NO ACCOUNT REQUIRED

Email authentication checker — verify SPF, DKIM, and DMARC for any domain in one report.

Email Authentication Checker runs the full SPF + DKIM + DMARC audit on a single domain in one query. Pulls the SPF record and expands its include chain, queries DKIM at known selectors, parses the DMARC policy and alignment modes, scores the overall posture (none / partial / strong), surfaces the failures that actually break deliverability, and tells you the next concrete step to take. The combined view that DMARC dashboards and standalone checkers don't give you.

01 · OVERVIEW

What gets checked, all in one pass

All three pillars in a single audit. Each underlying check is the same rigorous analysis as the standalone tools — combined here so you see how they interact, not just whether each one technically exists.

SPF — full chain expansion (RFC 7208)

Pulls the SPF TXT, parses every mechanism, recursively expands all `include:` chains to terminal IPs, and counts DNS lookups against the 10-limit. Lookup overrun is the single most common silent SPF failure; surfaced here as part of the combined view.

DKIM — selector probing (RFC 6376)

Probes the known-default selector list (Google, Microsoft 365, Mailchimp, SendGrid, SES, Postmark, Mailgun, and 30+ more) plus any selector you provide. Reports active selectors, key strength per selector, and any selectors stuck in test mode (`t=y`).

DMARC — policy + alignment (RFC 7489)

Parses the DMARC record at `_dmarc.<domain>` — `p`, `sp`, `pct`, `rua`, `ruf`, `adkim`, `aspf`. Scores effective enforcement (policy × pct). Identifies misalignment between DMARC's strict/relaxed settings and how SPF/DKIM are actually deployed.

Cross-check: do they agree? (Composite)

Verifies that SPF and DKIM are deployed consistent with what DMARC expects. Common mismatch: DMARC published at `p=reject` but SPF is `~all` and DKIM keys are 1024-bit — the policy is strict but the underlying authentication is weak.

Posture score (0 to 100)

Single number summarizing email-authentication health. None (no SPF, no DKIM, no DMARC) → 0. Standard (SPF strict, DKIM 2048+, DMARC at quarantine or reject) → 80+. Strong (all three deployed, DMARC at reject pct=100, DKIM rotated recently) → 95+.

AI-prioritized fixes (Action list)

Severity-ranked recommendations: 'Rotate DKIM key — 1024-bit is too weak', 'Move DMARC from p=none to p=quarantine', 'SPF has 11 lookups — exceeds the limit'. Each is a concrete action with a one-line rationale.

02 · WHY THIS MATTERS

Why all three together matter more than each individually

The standalone checkers tell you whether one mechanism is configured. The combined check tells you whether the three pieces actually work together. Five things the composite view reveals that single checks don't:

DMARC strength is bounded by underlying SPF/DKIM strength. Publishing `p=reject` with broken SPF and missing DKIM achieves nothing — your legitimate mail fails DMARC and gets rejected. The composite check tells you whether the underlying authentication can support the published policy.
Alignment failures are the silent killer. Mail can pass both SPF and DKIM but still fail DMARC because neither aligns with the `From:` domain. ESPs that sign with their own DKIM domain and use their own envelope sender produce mail that authenticates as the ESP, not as you — DMARC fails. The composite check spots this; standalone checks don't.
DKIM coverage is incomplete without selector enumeration. A domain might have one DKIM selector working perfectly — but five other active sending services with no DKIM at all. The composite view, by probing known-default selectors, surfaces missing DKIM where standalone checks (which require you to know the selector) wouldn't even look.
Bulk-sender compliance is composite by definition. Google's and Yahoo's 2024 bulk-sender requirements demand all three (SPF, DKIM aligned, DMARC published) for senders above 5,000 messages/day. A single-tool check doesn't directly answer 'am I compliant'; the composite does.
Posture comparison is composite by definition. Comparing your email auth against a competitor or a target acquisition's auth requires looking at all three simultaneously. The composite check normalizes the comparison to a single posture score plus the breakdown.

03 · HOW IT WORKS

Parallel SPF + DKIM + DMARC lookups, then cross-correlation

All three lookups fire in parallel. Once the results come back, the cross-correlation layer compares them and surfaces composite-only findings.

Stage 1 — Fan-out to SPF, DKIM, DMARC Three independent queries fire in parallel: TXT at the apex for SPF, TXT at `<selector>._domainkey.<domain>` for each probed DKIM selector, TXT at `_dmarc.<domain>` for DMARC. Wall-clock time is bounded by the slowest one (usually the SPF chain expansion if the domain has many includes).
Stage 2 — Run each standalone analysis Same logic as the standalone SPF, DKIM, and DMARC tools. Each produces its own parsed record, validation tests, and AI findings.
Stage 3 — Cross-correlate alignment Look at DMARC's `adkim` and `aspf` against the actual sender behavior implied by SPF and DKIM. Are there mechanisms that would never align under strict mode? Are there hosts in SPF for which there's no corresponding DKIM selector?
Stage 4 — Verify policy is supportable Check whether the DMARC policy strength makes sense given underlying mechanism quality. `p=reject` with broken SPF lookup count is a deliverability time bomb. `p=none` with strong SPF and DKIM is leaving protection on the table.
Stage 5 — Compute posture score Weight: SPF presence + policy strength (0-20), DKIM presence + key strength (0-30), DMARC presence + policy strength + pct (0-50). Sum to 0-100. Score ranges map to posture ratings: 0-29 (none), 30-59 (partial), 60-79 (standard), 80-100 (strong).
Stage 6 — AI-prioritized recommendations Feed the combined parsed state to the analyzer. Output a ranked list of fixes: weighted by impact (deliverability, security, compliance) and effort (DNS change, key rotation, ESP coordination). Top recommendations are the highest-impact lowest-effort changes.

04 · THE THREE PILLARS

SPF, DKIM, DMARC — what each contributes

Three mechanisms, three different things. Knowing what each contributes makes the composite analysis easier to interpret:

SPF — Sender Policy Framework Lists which IPs are allowed to send mail for your domain. TXT record at the apex. IP-based — checks the connecting server's IP. Pros: simple, cheap, instant. Cons: breaks under forwarding, has a 10-lookup limit, and silently fails when chains get too deep. See the SPF Checker for detailed analysis.
DKIM — DomainKeys Identified Mail Cryptographically signs the outgoing message with a private key; receivers verify against the published public key. TXT record at `<selector>._domainkey.<domain>`. Content-based — survives forwarding. Pros: forgery-proof when key is strong. Cons: harder setup, requires per-ESP selector, weak keys silently fail. See the DKIM Checker for per-selector key strength.
DMARC — Domain-based Message Authentication, Reporting, and Conformance Policy layer on top of SPF and DKIM. Tells receivers what to do when either fails. TXT record at `_dmarc.<domain>`. Adds reporting (`rua=`) so you find out who's sending as you. Pros: enforcement + visibility. Cons: requires the underlying two to work; alignment is a frequent silent failure. See the DMARC Checker for policy analysis.
How they interact DMARC passes if either SPF or DKIM aligns with the `From:` domain. SPF can be missing if DKIM aligns. DKIM can be missing if SPF aligns. Both should be present for resilience — DKIM survives forwarding (SPF can't), SPF is universally supported (DKIM is mostly universal). DMARC alone, without functional SPF and DKIM, is just a published intent with no underlying enforcement.
Why this combined tool exists Standalone tools each tell you about one mechanism. The combined view tells you whether the three actually work together — which is the question that matters for deliverability, security, and bulk-sender compliance.

05 · BULK-SENDER COMPLIANCE

What Google, Yahoo, and Microsoft require since 2024

Google and Yahoo's 2024 bulk-sender requirements, followed by Microsoft's 2025 alignment, raised the floor for senders above 5,000 messages per day to the same recipient domain. The requirements are composite — they only make sense as a combined SPF + DKIM + DMARC posture:

Authenticated mail (all three required) Bulk senders must authenticate every message with both SPF and DKIM (aligned), and publish DMARC at minimum `p=none`. A missing or unaligned authentication mechanism means messages can be deferred or rejected at the mailbox provider's edge.
DMARC at p=none minimum Just publishing a DMARC record at `p=none` satisfies the requirement — but it's the floor. Many providers favor higher-enforcement DMARC in spam scoring. Publishing `p=quarantine` or `p=reject` improves deliverability even though the bulk-sender requirement only mandates `p=none`.
Branded sender alignment The `From:` domain must align with either the SPF-authenticated domain or the DKIM-signing domain. Bulk senders using an ESP that signs with its own domain (rather than yours) fail alignment — and fail the bulk-sender requirement.
One-click unsubscribe (List-Unsubscribe header) Adjacent to authentication: bulk senders must include an RFC 8058 `List-Unsubscribe-Post` header for one-click unsubscribe. Not strictly an authentication signal but checked at the same edge enforcement step.
Spam complaint rate under 0.3% Mailbox providers measure your complaint rate via the Feedback Loop. Above 0.3% triggers throttling or rejection regardless of authentication. The threshold makes authentication necessary-but-not-sufficient — you must also send mail recipients want.
How this composite check helps The posture score and breakdown directly answer 'am I compliant'. SPF aligned: yes/no. DKIM aligned: yes/no. DMARC published: yes/no/strength. Three checkmarks plus the posture score gives you the compliance answer in one screen.

06 · API

Use this programmatically

All three results plus the cross-correlation and posture score are available as JSON. Useful for vendor onboarding, M&A diligence, bulk-sender-compliance automation, and continuous email-security monitoring.

cURL

curl 'https://api.domainscan.in/v1/security/email?domain=microsoft.com'

JavaScript (fetch)

const res = await fetch(
  'https://api.domainscan.in/v1/security/email?domain=microsoft.com'
);
const email = await res.json();

console.log(email.posture.score);             // 88
console.log(email.posture.rating);            // 'strong'

console.log(email.SPF.parsed.qualifier);      // '-all'
console.log(email.SPF.parsed.lookupCount);    // 7
console.log(email.DKIM.selectors.length);     // 3
console.log(email.DMARC.parsed.p);            // 'reject'
console.log(email.DMARC.parsed.pct);          // 100

// Top fixes
email.AiAnalysis.recommendations
  .slice(0, 3)
  .forEach(r => console.log(`[${r.severity}] ${r.title} — ${r.action}`));

Response schema (abridged)

{
  "domain":  "microsoft.com",
  "posture": {
    "score":    88,
    "rating":   "none | partial | standard | strong",
    "bulkSenderCompliant": true
  },

  "SPF": {
    "present":     true,
    "raw":         "v=spf1 include:... -all",
    "parsed":      {  /* full SPF parse */  },
    "lookupCount": 7,
    "qualifier":   "-all"
  },

  "DKIM": {
    "selectors": [
      { "selector": "selector1", "present": true, "keyBits": 2048, "strength": "standard" },
      { "selector": "selector2", "present": true, "keyBits": 2048, "strength": "standard" }
    ]
  },

  "DMARC": {
    "present": true,
    "raw":     "v=DMARC1; p=reject; rua=...; pct=100",
    "parsed":  {  /* full DMARC parse */  }
  },

  "AiAnalysis": {
    "recommendations": [
      {
        "severity":   "high | medium | low",
        "title":      "string",
        "description": "string",
        "action":     "string",
        "impact":     "deliverability | security | compliance"
      }
    ]
  }
}

07 · USE CASES

How teams use the Email Authentication Checker

Six patterns we see most often:

Bulk-sender compliance audit (Compliance)

Verify every domain in your sending portfolio meets Google, Yahoo, and Microsoft's 2024–2025 bulk-sender requirements. The composite posture score directly answers compliance, then drill into each pillar to fix gaps.

M&A email-security diligence (Diligence)

Acquiring a company. Run the composite check on every domain they own. Posture scores reveal the depth of post-acquisition email-security work needed. Most acquisitions inherit weak DMARC and old DKIM keys.

Phishing-impersonation defense (Security)

Your domain is being spoofed. Composite check confirms whether your SPF, DKIM, and DMARC actually defend against the spoofing — or whether the policy is theoretical and would let the spoofed mail through anyway.

Pre-DMARC-enforcement gate (Setup)

Before raising DMARC from `p=none` to `p=quarantine` or `p=reject`, run the composite check. Posture rating tells you whether the underlying SPF and DKIM are strong enough to support enforcement without breaking legitimate mail.

Vendor email-auth evaluation (Procurement)

Evaluating an ESP, marketing platform, or any vendor that will send mail on your behalf. Their existing email-auth posture (on their own marketing domain) is a credible signal of how seriously they take deliverability.

Continuous monitoring (Operations)

Cron the composite check against your domains weekly. Alert on posture regressions — SPF newly broken, DKIM selector expired, DMARC pct dropped. Catches the slow drift that erodes email security over months.

08 · FAQ

Frequently asked questions

What's the difference between SPF, DKIM, and DMARC? SPF lists which IPs can send mail for your domain. DKIM cryptographically signs outgoing messages with a private key. DMARC tells receivers what to do when SPF or DKIM fails — and adds reporting. They're complementary, not interchangeable. Proper email authentication uses all three. The composite check on this page audits all three at once.
Do I really need all three? Yes — and major mailbox providers' 2024–2025 bulk-sender requirements make this explicit for senders above 5,000 messages/day. SPF is universally supported and cheap. DKIM survives forwarding. DMARC adds enforcement and visibility. The marginal effort to deploy all three is small; the deliverability and security benefit is significant.
What is DMARC alignment and why does it matter? DMARC passes only when either SPF or DKIM aligns — meaning the authenticated domain matches the visible `From:` domain. SPF can pass on a different envelope sender, DKIM can pass with a different signing domain, but DMARC requires alignment. Most DMARC failures aren't authentication failures — they're alignment failures, typically because an ESP signs with its own domain rather than yours.
What is the difference between SPF strict and SPF relaxed? Those terms describe DMARC's `aspf=` setting, not SPF itself. `aspf=r` (relaxed, default) allows the SPF envelope-sender domain to be any subdomain of the `From:` domain. `aspf=s` (strict) requires exact match. Relaxed is correct for ~99% of setups. The composite check on this page surfaces strict-alignment configs that would break legitimate senders.
Why is my email going to spam despite SPF, DKIM, and DMARC passing? Authentication passes are necessary but not sufficient. Receivers also weigh sender reputation (IP and domain), engagement (do recipients open and reply?), content signals (links, language), spam-complaint rate from the Feedback Loop, and many other factors. The composite check tells you whether authentication is the problem; if everything green, the answer is reputation or content, not authentication.
How do I read the posture score? 0–29 (none): missing or critically broken authentication; mail is undefended. 30–59 (partial): some authentication present but with gaps that allow spoofing or break deliverability. 60–79 (standard): all three pillars deployed at sane defaults; meets bulk-sender compliance. 80–100 (strong): all three with strong DMARC enforcement, modern DKIM keys, tight SPF. Production goal is 80+.
What is BIMI and how does it relate to this check? BIMI (Brand Indicators for Message Identification) displays your brand logo next to authenticated mail in supporting clients. It requires DMARC at `p=quarantine` or `p=reject; pct=100`. Without strict DMARC, BIMI does nothing. If you want BIMI, get DMARC enforcement first — the composite posture rating tells you whether you're ready.
Can I check email authentication for any domain, including ones I don't own? Yes. SPF, DKIM, and DMARC records are all in public DNS. Any tool — including this one — can look them up for any domain. The records are designed to be queried by every receiving mail server in the world, so there's no expectation of privacy. This makes the tool useful for vendor evaluation, M&A diligence, and competitor research as well as your own domains.