TraceRoo
Back to TraceRoo tools

email tools

SPF / DMARC / DKIM Checker

The Email Authentication Checker reviews the DNS records that affect whether mail is trusted by receiving systems. SPF and DMARC use domain records, while DKIM requires a selector.

What It Checks

  • SPF TXT records at the domain.
  • DMARC policy at _dmarc.yourdomain.
  • DKIM selector records when you provide a selector.
  • Missing or malformed records that can hurt deliverability.

When It Helps

Use it when mail lands in spam, a provider asks you to verify authentication, a domain is being migrated, or bounce logs mention SPF, DKIM, or DMARC failure.

Notes

  • A domain can pass SPF but fail DMARC alignment.
  • DKIM cannot be checked without the correct selector.
  • Strict policies should be tested carefully before enforcement.

How To Read Results

  • For SPF, look for one clear TXT record that starts with v=spf1. Multiple SPF records can cause authentication failures.
  • For DMARC, p=none is monitoring, p=quarantine asks receivers to treat failures suspiciously, and p=reject is the strictest policy.
  • For DKIM, a found selector proves the public key exists, but it does not prove a specific message was signed correctly.
  • If SPF passes but DMARC fails, check whether the authenticated domain aligns with the visible From domain.
  • If DMARC reports are enabled, rua points to aggregate report destinations.

How To Use SPF / DMARC / DKIM Checker

  1. Enter the domain that appears in the visible From address.
  2. Add a DKIM selector when you know which selector the sending platform uses.
  3. Check SPF first, then DMARC policy and alignment notes, then DKIM selector presence.
  4. Use MX Lookup and Blacklist Check if authentication looks clean but delivery still fails.

Troubleshooting Flow

1. Domain 2. SPF 3. DKIM 4. DMARC

Example Result

Email auth triage example.com with selector: default
SPF: v=spf1 include:_spf.example.net ~all DMARC: p=none, rua present DKIM: selector found
  • One SPF record is expected. Multiple SPF records can break authentication.
  • DMARC p=none is monitoring, not enforcement.
  • A DKIM selector only proves the DNS key exists, not that a message was signed.

What Good And Bad Results Look Like

Good signs
  • One SPF record starts with v=spf1.
  • DMARC exists at _dmarc and matches the intended policy.
  • DKIM selector records exist for active senders.
Needs review
  • Multiple SPF records.
  • Missing DMARC on a sending domain.
  • DKIM selector not found after a provider says it is active.

Common Mistakes

  • Publishing more than one SPF record for the same domain.
  • Checking DKIM without the selector used by the sending platform.
  • Assuming SPF pass alone means DMARC will pass.

Practical Troubleshooting Workflow

  1. Check the visible From domain first.
  2. Review SPF for duplicate or missing includes.
  3. Check DMARC policy and reporting destinations.
  4. Add DKIM selector checks for each sending platform.

FAQ

Does this checker fix SPF, DMARC, or DKIM records?

No. It reads the DNS records and points out what is present or missing. You still make the actual DNS changes at your DNS host or email provider.

Why does DKIM need a selector?

DKIM records are published under selector-specific hostnames. Without the selector, the checker cannot know which DKIM TXT record your sending system uses.

Can SPF pass while DMARC fails?

Yes. DMARC also cares about alignment with the visible From domain. A message can pass SPF but still fail DMARC if the authenticated domain does not align.