Why does SPF have a 10-lookup limit?

SPF resolution happens **at message receive time**, every time. To prevent abuse (a malicious SPF could chain hundreds of includes and DDoS DNS), **RFC 7208 caps the total at 10 DNS lookups per check**. Beyond that, receivers return `PermError` and treat your mail as if SPF didn't exist. The tool counts your full chain (top-level + every nested include) and flags red if you exceed 10. **Fix**: flatten the SPF (replace `include:` with the resolved `ip4:` ranges), or use a service that does it for you (EasyDMARC, dmarcian).

**DKIM (DomainKeys Identified Mail)** signs every outgoing message with a private key on your sending server. The matching **public key sits in DNS** at `selector._domainkey.yourdomain.com`. The receiver pulls the public key, verifies the signature, and confirms the message wasn't modified in transit. Without DKIM, anyone can rewrite the body or attachments and your domain reputation takes the hit. **Pass requires**: key present, base64 valid, not in testing mode (`t=y` flag), ideally **2048+ bits**.

What's a DKIM selector and where do I find it?

The **selector** is a label your provider assigns to a specific key pair. It sits between your subdomain and `._domainkey.`. Common defaults: Google = `google`, Microsoft 365 = `selector1` / `selector2`, Mailchimp = `k1`, SendGrid = `s1` / `s2`, Mandrill = `mandrill`. **How to find yours**: send a test email to yourself, view the source, look for the `DKIM-Signature` header and the `s=` tag - that's the selector. Or check your sending platform's "DKIM setup" page.

**DMARC (Domain-based Message Authentication, Reporting & Conformance)** is the policy layer above SPF and DKIM. It tells receivers **what to do when both fail**: `p=none` (deliver but report), `p=quarantine` (send to spam), `p=reject` (refuse the message). Without DMARC, receivers each pick their own behavior - your delivery becomes a lottery. **Start with `p=none` + `rua=mailto:...`**, watch the reports for a few weeks, then move to `quarantine` once you confirm legit mail aligns.

What does `-all` vs `~all` mean in SPF?

**The final mechanism in your SPF record sets the policy when no other rule matches**. `-all` = **HardFail** (reject), `~all` = SoftFail (mark as spam but deliver), `?all` = Neutral (no opinion), `+all` = Pass everything (catastrophic, anyone can spoof you). **Best practice = `-all`**. `~all` is the training wheels - use it the first month while you watch DMARC reports, then switch to `-all`.

My DKIM card is yellow because of "legacy key" - what does it mean?

**Your key is 1024 bits**. 1024-bit RSA was the standard 15 years ago, today it's considered weak. **2048 bits is the modern minimum**, 4096 is overkill. Rotate it: most providers (Google, Microsoft, AWS SES) have a "regenerate DKIM" button in the admin panel. Important: **the new key gets a new selector** (e.g. `selector2` next to `selector1`), keep both DNS records live for 48-72 h to drain in-flight mail.

My DMARC says `p=none` - is that bad?

**Not necessarily, but it's incomplete**. `p=none` means "if SPF and DKIM fail, still deliver". You're collecting reports (`rua=`) but not protecting recipients from spoofing. **It's the right starting point** for a domain that already sends mail, but you should move to `quarantine` or `reject` within a few weeks. **A domain that doesn't send any mail should publish `p=reject` immediately** - the tool flags `p=none` as yellow because most setups stay there forever.

Do I need `rua=` and `ruf=`?

**`rua=` yes, `ruf=` rarely**. `rua=mailto:dmarc@yourdomain.com` enables **aggregate reports** - daily XML summaries from Gmail, Outlook, Yahoo etc. with counts of pass/fail/source-IP. Without `rua=` you're flying blind. `ruf=` enables **forensic reports** (full message header on each failure) - Gmail and Outlook **don't support `ruf=` anymore** because of GDPR, so it almost never works. Set up `rua=` from day one.

Are these checks really private?

The domain you type goes to our server and we query Cloudflare's public DNS (1.1.1.1). **Nothing is logged, nothing is stored**. The records you see are public TXT data - anyone in the world can pull them with `dig` from the command line. **This isn't a privacy-sensitive lookup** like a password check, it's the same data your customers' email servers fetch on every message you send.

Email DNS Checker (SPF/DKIM/DMARC) - free

Why do my emails land in spam? Check SPF, DKIM, DMARC.

Type the domain you send email from (the part after @ in the From address) and the tool reads the three DNS records every modern mailbox checks: SPF (which servers may send for you), DKIM (the cryptographic signature on each message) and DMARC (what to do when SPF and DKIM disagree).

You get three traffic-light cards: green means it passes, yellow means it works but is fragile, red means receivers are very likely sending your mail to spam - or rejecting it. Each card opens to show the raw record, the parsed values and a plain-English list of warnings.

We query the records from our server through Cloudflare's public DNS (1.1.1.1). Nothing is written anywhere, the lookup is over in under two seconds.

How to use it

Type the domain you send from. The From address domain, not the full email. For "marketing@store.com" the domain is store.com. We strip the user part for you if you paste the whole address.
Hit "Check". The tool fetches SPF, DKIM (for the 8 most common selectors) and DMARC in parallel.
If a card is green, that piece is healthy. Yellow = it works but has a weak spot worth fixing (testing-mode key, `~all` instead of `-all`, no DMARC reports). Red = receivers may drop your mail.
Don't see your DKIM key? Turn on "Custom DKIM selectors" and type the selector your email provider uses (e.g. `dkim`, `mxvault`, `mandrill`). The selector is the prefix before `._domainkey.` in the DNS record.
Read the warnings in each card. They're ordered by impact - fix the top warning first, then re-check.

When this is useful

Five real-world moments where checking SPF/DKIM/DMARC saves you:

Newsletter going to spam. You set up Mailchimp / Brevo / Klaviyo, sent the first campaign, half the recipients didn't get it. First diagnosis = check SPF + DKIM, the sending platform usually requires both to be aligned.
Migration to a new email provider. Switching from Google Workspace to Microsoft 365, or adding a transactional sender (Postmark, SendGrid). Old SPF/DKIM stays alongside the new one until propagation finishes - easy to miss.
"My emails get rejected" complaint from a customer. Customer says "your mail never arrives". Could be: SPF over the 10-lookup limit, DKIM key revoked, DMARC `p=reject` with no `rua` to debug from.
Phishing protection audit. Your company sends invoices to clients. Without DMARC `p=reject`, anyone can spoof your domain. The tool tells you exactly which piece is missing.
Pre-launch on a new domain. Before sending the first transactional email from a fresh domain, verify all three pieces are set up. Reputation is built slowly, ruined in one campaign.

For a deep DNS audit beyond email, use the DNS lookup tool. To validate the password on your SMTP account hasn't leaked, see pwned password check.

Questions and answers

SPF (Sender Policy Framework) is a list of servers allowed to send email "From: yourdomain.com". When Gmail receives a message, it checks the sender's IP against your SPF list. No match = the message is treated as suspicious (spam folder or rejected). You publish SPF as a TXT record on your domain - one record, starts with `v=spf1`. The hardest part isn't writing it, it's the 10-lookup limit - every `include:` counts, and chained includes blow past 10 fast.

Why do my emails land in spam? Check SPF, DKIM, DMARC.

We query the records from our server through Cloudflare's public DNS (1.1.1.1). Nothing is written anywhere, the lookup is over in under two seconds.

How to use it

Type the domain you send from. The From address domain, not the full email. For "marketing@store.com" the domain is store.com. We strip the user part for you if you paste the whole address.

Hit "Check". The tool fetches SPF, DKIM (for the 8 most common selectors) and DMARC in parallel.

If a card is green, that piece is healthy. Yellow = it works but has a weak spot worth fixing (testing-mode key, `~all` instead of `-all`, no DMARC reports). Red = receivers may drop your mail.

Don't see your DKIM key? Turn on "Custom DKIM selectors" and type the selector your email provider uses (e.g. `dkim`, `mxvault`, `mandrill`). The selector is the prefix before `._domainkey.` in the DNS record.

Read the warnings in each card. They're ordered by impact - fix the top warning first, then re-check.

When this is useful

Five real-world moments where checking SPF/DKIM/DMARC saves you:

Newsletter going to spam. You set up Mailchimp / Brevo / Klaviyo, sent the first campaign, half the recipients didn't get it. First diagnosis = check SPF + DKIM, the sending platform usually requires both to be aligned.
Migration to a new email provider. Switching from Google Workspace to Microsoft 365, or adding a transactional sender (Postmark, SendGrid). Old SPF/DKIM stays alongside the new one until propagation finishes - easy to miss.
"My emails get rejected" complaint from a customer. Customer says "your mail never arrives". Could be: SPF over the 10-lookup limit, DKIM key revoked, DMARC `p=reject` with no `rua` to debug from.
Phishing protection audit. Your company sends invoices to clients. Without DMARC `p=reject`, anyone can spoof your domain. The tool tells you exactly which piece is missing.
Pre-launch on a new domain. Before sending the first transactional email from a fresh domain, verify all three pieces are set up. Reputation is built slowly, ruined in one campaign.

For a deep DNS audit beyond email, use the DNS lookup tool. To validate the password on your SMTP account hasn't leaked, see pwned password check.

Questions and answers

Email DNS Checker (SPF/DKIM/DMARC)

Why do my emails land in spam? Check SPF, DKIM, DMARC.

How to use it

When this is useful

Questions and answers

Related tools

Pwned Password Check

JWT decoder

Email DNS Checker (SPF/DKIM/DMARC)

Why do my emails land in spam? Check SPF, DKIM, DMARC.

How to use it

When this is useful

Questions and answers

Related tools

Pwned Password Check

JWT decoder