Free public DNS check

Check a domain’s DMARC, SPF and DKIM

Enter a domain to inspect public DNS records and common authentication signals. The result is a point-in-time technical check, not a deliverability test, security guarantee or compliance assessment.

Check public email-authentication records

Enter a domain only — no https://, path or email address.

This site is protected by reCAPTCHA. Google’s Privacy Policy and Terms of Service apply.

What the check covers

  • Published DMARC policy and the domain from which the effective policy was discovered.
  • SPF record presence and the observable DNS-lookup count.
  • Common DKIM selectors that can be discovered from public DNS.
  • MX records and DNS errors that affect confidence in the result.

DKIM discovery is necessarily incomplete because selectors are chosen by sending providers and are not globally enumerable. A missing selector result does not prove that a domain has no DKIM signing.

How to use the result

No DMARC record

Publish a monitoring record only after confirming the reporting destination and ownership of the domain.

Monitoring policy

Collect aggregate reports, identify legitimate sources and fix alignment gaps before requesting stronger handling.

Quarantine or reject

Continue monitoring because mail services and DNS configuration change over time.

SPF warning

Review the full include chain and authorised senders before editing the record.

A checker is a snapshot; monitoring shows behaviour

DNS records show intended configuration. DMARC aggregate reports show which systems are actually using the domain and whether SPF or DKIM aligns. Managed DMARC combines those reports with ongoing review and policy decisions.

Frequently asked questions

Is the checker free?

Yes. The public DNS check does not require an account.

Does a good result guarantee inbox delivery?

No. Authentication is one input. Delivery also depends on receiver policy, reputation, content and other factors outside this check.

Can the checker find every DKIM selector?

No. It tests supported, commonly used selectors. Selectors are not designed to be enumerated, so absence is not proof that DKIM is not in use.

Does the checker change DNS?

No. It reads public DNS and does not modify the domain.

Why might the result be inconclusive?

DNS timeouts, broken DNSSEC validation, delegation problems or provider-side errors can prevent a reliable answer. Retry later or ask the DNS operator to investigate.

Managing more than a point-in-time check?

Use aggregate reports and a repeatable review process to understand authentication across customer domains.