MailStrike logoMailStrike.ai

Free Tools

Email Authentication Checker

Audit your domain's SPF, DKIM, DMARC, MX, and BIMI records in one click. Surface lookup-limit violations, weak keys, missing policies, and more — instantly.

Authentication is half the battle

Passing SPF, DKIM, and DMARC isn't enough on its own.

Authentication tells receivers your mail is legitimate. Reputation tells them whether anyone wants to read it. Both matter — and most cold senders nail the first and ignore the second.

MailStrike warms your domain using a network of AI-driven personas that open, reply to, and positively engage with your emails. With authentication clean and real engagement flowing in, mail providers consistently route your messages to the inbox.

Book a Call See How It Works

What this tool checks

Modern inbox providers (Gmail, Outlook, Yahoo) require senders to authenticate their mail using a stack of DNS-based standards. Missing or misconfigured records cause silent delivery failure — your emails will land in spam, or fail outright, before a human ever sees them. This tool runs five lookups in parallel and flags anything that breaks RFC compliance or current receiver requirements.

SPF

Authorises which servers can send mail using your domain. Checks for syntax, the 10 DNS-lookup limit, terminal mechanism (~all/-all), and deprecated 'ptr' usage.

DKIM

Probes 17 common selectors used by Google, Microsoft, SendGrid, Mailgun, Postmark, Mailchimp, and others. Reports active keys, key length, and revoked selectors (empty p= tags).

DMARC

Reads _dmarc.<domain> and parses the policy (none/quarantine/reject), subdomain policy, coverage percentage, alignment modes, and reporting addresses (rua/ruf).

MX

Lists active mail exchangers in priority order and identifies your mail provider (Google, Microsoft 365, Mimecast, Proofpoint, Zoho, Fastmail, etc.).

BIMI

Checks for a brand-indicators record (logo display in Gmail/Yahoo). Verifies the logo URL and Verified Mark Certificate are both present.

The SPF 10-lookup limit

RFC 7208 caps the number of DNS lookups an SPF record can trigger at 10. Each include:, a, mx, exists, or redirect= mechanism counts as one lookup — and each included record can itself contain more lookups, which cascade into the total.

Exceeding the limit causes a PermError and SPF fails universally — Gmail treats your mail as if you had no SPF record at all. This is one of the most common deliverability problems for businesses using multiple email providers (e.g. Google Workspace + Mailchimp + a CRM + a transactional service). Our checker recursively resolves your includes to give you the real total, not just a count of the top-level mechanisms.

How to fix common findings

1

No SPF record

Use our SPF generator to produce a record covering all your email providers, then publish it as a TXT record at the root of your domain.

2

SPF exceeds 10 lookups

Remove unused providers from your SPF record, or use SPF flattening — replace include: chains with explicit ip4:/ip6: ranges. Be aware that flattened records require manual updates when providers change their IPs.

3

No DKIM keys found

Your provider may use a custom selector not in our probe list. Find your selector in your provider's DKIM setup docs, then publish their TXT record at <selector>._domainkey.<domain>.

4

DKIM key under 1024 bits

Gmail and Yahoo reject signatures from RSA keys shorter than 1024 bits. Rotate to a 2048-bit key in your provider's admin console, publish the new record, then revoke the old selector.

5

No DMARC record

Start with a monitoring-only record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com — this gives you visibility without breaking anything. Move to p=quarantine and then p=reject as you confirm legitimate senders all pass.

6

DMARC policy is p=none

You are running monitoring mode only. Once aggregate reports show all legitimate sources passing SPF or DKIM, move to p=quarantine, then p=reject for full enforcement.

7

MX record missing

Without MX records, your domain cannot receive replies, bounces, or DMARC reports. Add MX records pointing to your mail provider before sending any campaigns.

Frequently asked questions

Why didn't the tool find my DKIM key?

DKIM selectors are not standardised — providers each pick their own (google, selector1, k1, mta, mandrill, etc.). We probe 17 of the most common selectors used by Google Workspace, Microsoft 365, SendGrid, Mailgun, Postmark, Mailchimp, and similar. If your provider uses a custom selector, you'll need to query it directly via dig or another DNS tool. A 'no DKIM found' result here does not necessarily mean you have no DKIM published.

What's the difference between SPF 'fail' and DMARC 'reject'?

SPF '-all' (hard-fail) tells receivers that any sender not in your SPF record should be rejected. DMARC 'p=reject' tells receivers what to do with mail that fails BOTH SPF and DKIM alignment. SPF '-all' alone is fragile — legitimate forwarded mail often breaks SPF. DMARC reject is safer because it requires both protocols to fail before rejecting.

Should I publish a BIMI record?

BIMI is optional but worthwhile if your brand cares about inbox presence. It displays your verified logo next to authenticated mail in Gmail, Yahoo, and Apple Mail. The catch: Gmail requires a Verified Mark Certificate (VMC) from a CA like DigiCert or Entrust, which costs $1,000–1,500/year. Without a VMC, your BIMI record is published but the logo won't display in Gmail.

How often should I audit my email authentication?

Run a check whenever you add or change an email provider (a new CRM, marketing platform, or transactional service almost always requires updating SPF). Otherwise, quarterly is reasonable. Also re-check immediately if your deliverability drops — broken authentication is one of the most common silent causes.

Why is my SPF record 'too many lookups' if I only have three includes?

Each include: pulls in another SPF record, which may itself include more records — and they all count toward your 10-lookup limit. A single include:_spf.google.com adds three lookups on its own. Use our recursive count to see the real total, then remove unused providers or flatten the largest includes.

Related free tools

SPF Record Generator

Generate a valid SPF TXT record for your domain.

DKIM Record Generator

Format your DKIM public key into a ready-to-publish DNS record.

DMARC Record Generator

Set your DMARC policy and get a copy-paste DNS record in seconds.

Blacklist Checker

Check if your domain or IP is on 21 major email blacklists.