Domain Check Tool

Get instant analysis for your DMARC, SPF, MX, DKIM, BIMI, TLS-RPT, MTA-STS, and other email security records on any domain.

Domain

How It Works

Domain Scan

The tool queries public DNS servers then parses the relevant email authentication records. The results are then fed into a policy engine that highlights broken syntax, weak policy, and missing protections.

Public DNS lookup
The checker reads the public DNS records that mailbox providers can see for the domain.
Authentication analysis
DMARC, SPF, DKIM, BIMI, TLS-RPT, and MTA-STS records are evaluated for syntax, coverage, and policy quality.
Actionable issues
The results highlight missing protections, risky settings, and misconfigurations that affect deliverability and spoofing resistance.
Domain Check Results

Issue Detection

What issues does it catch?

The checker looks for the failures that usually block DMARC enforcement, reduce deliverability, or leave gaps in your sender authentication setup.

HIGH
21 high severity issues
Example checks

No SPF record found for the domain.

The record does not start with 'v=spf1'.

Multiple SPF records were found for the domain.

MEDIUM
13 medium severity issues
Example checks

The record ends with '+all' (pass all).

The 'ptr' mechanism is used in the SPF record.

The record contains an unknown modifier (not 'redirect' or 'exp').

LOW
4 low severity issues
Example checks

No public key found in the DKIM record.

No BIMI record found for the domain.

BIMI record exists but is missing the required logo URI ('l=') tag.

Full list of checks

These are the rule sets currently used by the checker for DMARC, SPF, and DKIM analysis.

spf

TitleDescriptionDocumentation
SPF Record ExistenceNo SPF record found for the domain.RFC 7208 - Sender Policy Framework: SPF Records
Invalid Version TagThe record does not start with 'v=spf1'.RFC 7208 - SPF Records
Multiple SPF RecordsMultiple SPF records were found for the domain.RFC 7208 - Multiple DNS Records
DNS Lookup LimitThe SPF record requires more than 10 DNS lookups to resolve.RFC 7208 - DNS Lookup Limits
Void DNS Lookup LimitThe SPF record triggered more than 2 void DNS lookups (lookups returning empty answers/NXDOMAIN).RFC 7208 - DNS Lookup Limits
MX DNS Lookup LimitThe SPF record uses an 'mx' mechanism that contains more than 10 entries.RFC 7208 - MX Mechanism
Top-level missing 'all' or 'redirect'The top-level SPF record does not contain an 'all' mechanism nor a 'redirect' modifier.RFC 7208 - Default Result
Nested SPF record missing 'all' or 'redirect'One or more SPF records referenced through include or redirect do not contain an 'all' mechanism nor a 'redirect' modifier.RFC 7208 - Default Result
Permissive 'all' MechanismThe record ends with '+all' (pass all).RFC 7208 - The 'all' Mechanism
Usage of 'ptr' MechanismThe 'ptr' mechanism is used in the SPF record.RFC 7208 - 'ptr' (do not use)
Syntax Error in MechanismOne or more mechanisms in the SPF record contain syntax errors.RFC 7208 - Mechanism Definitions
Unknown ModifierThe record contains an unknown modifier (not 'redirect' or 'exp').RFC 7208 - Modifier Definitions

dkim

TitleDescriptionDocumentation
DKIM Public KeyNo public key found in the DKIM record.RFC 6376 - DKIM Key Representation
DKIM Key LengthRSA key is less than 1024 bits.RFC 8301 - Cryptographic Algorithm Recommendations
DKIM Testing ModeTesting mode flag (y) is set in the DKIM record.RFC 6376 - Key Flags
DKIM Deprecated Hash AlgorithmThe DKIM record only allows SHA-1 hash algorithm.RFC 8301 - Cryptographic Algorithm Recommendations

dmarc

TitleDescriptionDocumentation
DMARC Record ExistenceNo DMARC record found for the domain.DMARC Defender - Quick Start GuideRFC 7489 - DMARC Policy Record
Invalid DMARC VersionThe DMARC record does not start with 'v=DMARC1'.RFC 7489 - DMARC Version
Missing DMARC PolicyNo policy (p) tag found in the DMARC record. Without a policy, DMARC is not enforcing any actions on unauthenticated emails.RFC 7489 - DMARC Policy
Invalid DMARC Policy OrderingDMARC policy (p) tag is not the first tag after the version.RFC 7489 - DMARC Policy
Unknown or non-standard DMARC TagThe DMARC record contains an unknown or non-standard tag.RFC 7489 - DMARC Policy
Weak DMARC PolicyDMARC policy is set to 'none', which only monitors without enforcing.RFC 7489 - Policy Actions
Partial DMARC EnforcementDMARC policy applies to less than 100% of emails.RFC 7489 - Percentage Tag
No Aggregate Reports ConfiguredNo aggregate report URI (rua) is configured.RFC 7489 - Aggregate Reports
Subdomain Policy on SubdomainThe 'sp' tag is set on a subdomain DMARC record where it has no effect.RFC 7489 - Subdomain Policy
Weak Subdomain PolicySubdomain policy is weaker than the main domain policy, leaving subdomains less protected.RFC 7489 - Subdomain Policy
External Destination CheckIf sending DMARC reports to a separate domain, that domain must specify through DNS it is willing to receive reports.RFC 7489 - Verifying External Dependencies

bimi

TitleDescriptionDocumentation
BIMI Record ExistenceNo BIMI record found for the domain.IETF BIMI Draft - Publish Assertion Records
Invalid BIMI VersionThe BIMI record does not start with 'v=BIMI1'.IETF BIMI Draft - Assertion Record Definition
Unknown or non-standard BIMI TagThe BIMI record contains an unknown or non-standard tag.IETF BIMI Draft - Assertion Record Definition
Missing BIMI Logo URIBIMI record exists but is missing the required logo URI ('l=') tag.IETF BIMI Draft - Indicator Discovery
Missing BIMI Authority URIBIMI record exists but is missing the authority URI ('a=') tag for certificate evidence.IETF BIMI Draft - Assertion Record Definition (a= Authority Evidence Location)
BIMI Logo URI Does Not ResolveThe BIMI logo URI does not resolve.IETF BIMI Draft - Indicator Discovery Without Evidence
BIMI Authority URI Does Not ResolveThe BIMI authority URI does not resolveIETF BIMI Draft - Assertion Record Definition (a= Authority Evidence Location)

tlsrpt

TitleDescriptionDocumentation
TLS-RPT Record ExistenceNo TLS-RPT record found for the domain.RFC 8460 - SMTP TLS Reporting
Invalid TLS-RPT VersionThe TLS-RPT record does not start with 'v=TLSRPTv1'.RFC 8460 - DNS Record Syntax
Missing TLS-RPT ruaTLS-RPT record exists but is missing a valid report URI list ('rua=').RFC 8460 - rua Tag
Unknown TLS-RPT TagThe TLS-RPT record contains unknown or non-standard tags.RFC 8460 - DNS Record Syntax

Coverage

What is it scanning?

The checker focuses on the public DNS records that control email authentication, brand trust, and transport protection.

DMARC

Checks policy mode, reporting endpoints, alignment settings, and basic record validity.

Docs

SPF

Validates record syntax, improper directive usage, and risky authorization patterns.

Docs

SPF Tree

Validates include chains, DNS lookup count limit.

Docs

DKIM

Surfaces selector and signing gaps that often break alignment or reduce trust with receivers.

Docs

BIMI

Looks for the brand indicator record and whether the DNS path is in place for logo validation.

Docs

MTA-STS

Checks whether transport security policy discovery is configured for inbound mail protection.

Docs

TLS-RPT

Finds reporting configuration for TLS delivery failures so you can detect transport problems.

Docs

MX

Confirms the mail exchanger layer is discoverable and ready to receive mail for the domain.

Docs

FAQ

Common questions about the domain checker

The tool is intentionally simple: public DNS in, actionable analysis out.

Get Started Today

Ensure your email security and deliverability with DMARC

Get started for free.

Start 14 Day Free Trial