Domain Check Tool

Check your domain for DMARC, SPF, MX, DKIM, BIMI, TLS-RPT, MTA-STS, and other email security records.

How It Works

Domain Scan

The tool queries public DNS servers then parses the relevant email authentication records. The results are then fed into a policy engine that highlights broken syntax, weak policy, and missing protections.

Public DNS lookup: The checker reads the public DNS records that mailbox providers can see for the domain.
Authentication analysis: DMARC, SPF, DKIM, BIMI, TLS-RPT, and MTA-STS records are evaluated for syntax, coverage, and policy quality.
Actionable issues: The results highlight missing protections, risky settings, and misconfigurations that affect deliverability and spoofing resistance.

Domain Check Results

Issue Detection

What issues does it scan for?

The checker looks for the failures that usually block DMARC enforcement, reduce deliverability, or leave gaps in your sender authentication setup.

spf checks

Title	Description	Documentation
SPF DNS Lookup Failure	The SPF record could not be retrieved because the DNS lookup failed.	RFC 7208 - SPF Record Lookup
Missing SPF Record	No SPF record found for the domain.	RFC 7208 - Sender Policy Framework: SPF Records
Invalid Version Tag	The record does not start with 'v=spf1'.	RFC 7208 - SPF Records
Leading Whitespace Before SPF Version	The SPF record starts with extra whitespace before 'v=spf1'.	RFC 7208 - SPF Records
Incorrect SPF Version Casing	The SPF record uses the wrong casing for 'v=spf1'.	RFC 7208 - SPF Records
Multiple SPF Records	Multiple SPF records were found for the domain.	RFC 7208 - Multiple DNS Records
DNS Lookup Limit	The SPF record requires more than 10 DNS lookups to resolve.	RFC 7208 - DNS Lookup Limits
Void DNS Lookup Limit	The SPF record triggered more than 2 void DNS lookups (lookups returning empty answers/NXDOMAIN).	RFC 7208 - DNS Lookup Limits
MX DNS Lookup Limit	The SPF record uses an 'mx' mechanism that contains more than 10 entries.	RFC 7208 - MX Mechanism
Top-level missing 'all' or 'redirect'	The top-level SPF record does not contain an 'all' mechanism nor a 'redirect' modifier.	RFC 7208 - Default Result
Nested SPF record missing 'all' or 'redirect'	One or more SPF records referenced through include or redirect do not contain an 'all' mechanism nor a 'redirect' modifier.	RFC 7208 - Default Result
Permissive 'all' Mechanism	The record ends with '+all' (pass all).	RFC 7208 - The 'all' Mechanism
Usage of 'ptr' Mechanism	The 'ptr' mechanism is used in the SPF record.	RFC 7208 - 'ptr' (do not use)
Syntax Error in Mechanism	One or more mechanisms in the SPF record contain syntax errors.	RFC 7208 - Mechanism Definitions
Unknown Modifier	The record contains an unknown modifier (not 'redirect' or 'exp').	RFC 7208 - Modifier Definitions

dkim checks

Title	Description	Documentation
DKIM Public Key	No public key found in the DKIM record.	RFC 6376 - DKIM Key Representation
DKIM Key Length	RSA key is less than 1024 bits.	RFC 8301 - Cryptographic Algorithm Recommendations
DKIM Testing Mode	Testing mode flag (y) is set in the DKIM record.	RFC 6376 - Key Flags
DKIM Deprecated Hash Algorithm	The DKIM record only allows SHA-1 hash algorithm.	RFC 8301 - Cryptographic Algorithm Recommendations

dmarc checks

Title	Description	Documentation
DMARC DNS Lookup Failure	The DMARC record could not be retrieved because the DNS lookup failed.	RFC 7489 - DMARC Policy Record
Missing DMARC Record	No DMARC record found for the domain. Adding DMARC to your domain will increase deliverability, prevent brand impersonation, and fulfil google/yahoo sender requirements.	DMARC Defender - Quick Start Guide RFC 7489 - DMARC Policy Record
Multiple DMARC Records	Multiple DMARC records were found for the domain.	RFC 7489 - DMARC Policy Record
Invalid DMARC Version	The DMARC record does not start with 'v=DMARC1'.	RFC 7489 - DMARC Version
Leading Whitespace Before DMARC Version	The DMARC record starts with extra whitespace before 'v=DMARC1'.	RFC 7489 - DMARC Version
Incorrect DMARC Version Casing	The DMARC record uses the wrong casing for 'v=DMARC1'.	RFC 7489 - DMARC Version
Missing DMARC Policy	No policy (p) tag found in the DMARC record. Without a policy, DMARC is not enforcing any actions on unauthenticated emails.	RFC 7489 - DMARC Policy
Invalid DMARC Policy Ordering	DMARC policy (p) tag is not the first tag after the version.	RFC 7489 - DMARC Policy
Unknown or non-standard DMARC Tag	The DMARC record contains an unknown or non-standard tag.	RFC 7489 - DMARC Policy
Weak DMARC Policy	DMARC policy is set to 'none', which only monitors without enforcing. Attackers can spoof your email address.	RFC 7489 - Policy Actions
Partial DMARC Enforcement	DMARC policy applies to less than 100% of emails.	RFC 7489 - Percentage Tag
No Aggregate Reports Configured	No aggregate report URI (rua) is configured.	RFC 7489 - Aggregate Reports
Subdomain Policy on Subdomain	The 'sp' tag is set on a subdomain DMARC record where it has no effect.	RFC 7489 - Subdomain Policy
Weak Subdomain Policy	Subdomain policy is weaker than the main domain policy, leaving subdomains less protected.	RFC 7489 - Subdomain Policy
External Destination Check	If sending DMARC reports to a separate domain, that domain must specify through DNS it is willing to receive reports.	RFC 7489 - Verifying External Dependencies

bimi checks

Title	Description	Documentation
BIMI Record Existence	No BIMI record found for the domain.	IETF BIMI Draft - Publish Assertion Records
Invalid BIMI Version	The BIMI record does not start with 'v=BIMI1'.	IETF BIMI Draft - Assertion Record Definition
Unknown or non-standard BIMI Tag	The BIMI record contains an unknown or non-standard tag.	IETF BIMI Draft - Assertion Record Definition
Missing BIMI Logo URI	BIMI record exists but is missing the required logo URI ('l=') tag.	IETF BIMI Draft - Indicator Discovery
Missing BIMI Authority URI	BIMI record exists but is missing the authority URI ('a=') tag for certificate evidence.	IETF BIMI Draft - Assertion Record Definition (a= Authority Evidence Location)
BIMI Logo URI Does Not Resolve	The BIMI logo URI does not resolve.	IETF BIMI Draft - Indicator Discovery Without Evidence
BIMI Authority URI Does Not Resolve	The BIMI authority URI does not resolve	IETF BIMI Draft - Assertion Record Definition (a= Authority Evidence Location)

tlsrpt checks

Title	Description	Documentation
TLS-RPT Record Existence	No TLS-RPT record found for the domain.	RFC 8460 - SMTP TLS Reporting
Invalid TLS-RPT Version	The TLS-RPT record does not start with 'v=TLSRPTv1'.	RFC 8460 - DNS Record Syntax
Missing TLS-RPT rua	TLS-RPT record exists but is missing a valid report URI list ('rua=').	RFC 8460 - rua Tag
Unknown TLS-RPT Tag	The TLS-RPT record contains unknown or non-standard tags.	RFC 8460 - DNS Record Syntax

mta-sts checks

Title	Description	Documentation
MTA-STS DNS Lookup Failure	The MTA-STS record could not be retrieved because the DNS lookup failed.	RFC 8461 - The MTA-STS DNS TXT Record
Multiple MTA-STS Records	Multiple MTA-STS records were found for the domain.	RFC 8461 - The MTA-STS DNS TXT Record
Invalid MTA-STS Version	The MTA-STS record is missing the required 'v=STSv1' version tag or uses an invalid value.	RFC 8461 - The MTA-STS DNS TXT Record
Missing MTA-STS id	The MTA-STS DNS record exists but is missing the required 'id=' tag.	RFC 8461 - The MTA-STS DNS TXT Record
Unknown MTA-STS Tag	The MTA-STS record contains unknown or non-standard tags.	RFC 8461 - The MTA-STS DNS TXT Record
Missing MTA-STS Policy	The MTA-STS DNS record exists, but the HTTPS policy file could not be retrieved.	RFC 8461 - Policy Retrieval

Ready for more?

Real-time DMARC monitoring, aggregate reports, and automated policy recommendations.

Start 14 Day Free Trial Pricing

Benefits

Continuous deliverability monitoring
Fulfil Google/Yahoo sender requirements
Prevent Brand Impersonation
Improve Deliverability