What is SPF and how does it work?

Sender Policy Framework (SPF) is DNS TXT record listing authorized mail servers for your domain. Example: v=spf1 ip4:192.0.2.0 include:_spf.google.com ~all. Recipient checks: sending server IP matches SPF record? Pass = authenticated, fail = potential spoof. Mechanisms: ip4, ip6, include, a, mx. Qualifiers: + (pass), - (fail), ~ (softfail), ? (neutral). Limit: 10 DNS lookups maximum.

What is DKIM and why is it important?

DomainKeys Identified Mail (DKIM) adds cryptographic signature to email headers. Private key signs email, public key in DNS validates signature. Proves: email from authorized server, content unmodified in transit. Example DNS record: selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS...". Survives forwarding. Required with SPF/DMARC. Multiple selectors supported (rotate keys). Signature header: DKIM-Signature: v=1; a=rsa-sha256...

What is DMARC and how to configure it?

Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on SPF/DKIM. Defines policy for authentication failures: none (monitor), quarantine (spam folder), reject (block). Example DNS record: _dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:reports@example.com". Provides aggregate reports (rua) and forensic reports (ruf). Start with p=none, monitor reports, gradually enforce to p=reject.

Why do emails fail authentication?

Common failures: SPF - sending from unauthorized server, too many DNS lookups, missing include. DKIM - invalid signature, key rotation without DNS update, email modified in transit. DMARC - SPF/DKIM alignment failure, no policy defined. Forwarding breaks SPF (but DKIM survives). Check: DNS records correct, selectors match, domains aligned (envelope vs header). Use email authentication validators to diagnose issues.

How to prevent email spoofing?

Implement all three: SPF (authorize servers), DKIM (sign emails), DMARC (enforce policy). Set DMARC policy p=reject for maximum protection. Enable DMARC reports to monitor. Add BIMI (Brand Indicators for Message Identification) for logo display. Monitor: spoofed domains using your brand, authentication failures. Train employees: verify sender, check for phishing. Use email security gateway. Report spoofing to authorities (FBI IC3).

What is DMARC alignment?

DMARC requires identifier alignment - domain in From: header matches authenticated domain. SPF alignment: From header domain aligns with Return-Path domain (relaxed or strict mode). DKIM alignment: From header domain aligns with d= domain in DKIM signature. Example: email from @example.com must pass SPF/DKIM with @example.com domain. Alignment prevents display name spoofing. Check alignment in DMARC reports.

How to improve email deliverability?

Authentication is foundation. Configure: SPF (authorize servers), DKIM (sign with 2048-bit key), DMARC (p=quarantine/reject). Best practices: warm up new IPs, maintain clean email list, low bounce/complaint rates, authenticate subdomains, enable BIMI, monitor blacklists, use dedicated IP for bulk sending, avoid spam trigger words, provide unsubscribe, follow CAN-SPAM/GDPR. Monitor inbox placement with seed lists.

Home/Tools/Security/Email Authentication Validator

Email Authentication Validator

Validate SPF, DKIM, and DMARC email authentication records to prevent spoofing and improve deliverability

Loading Email Authentication Validator...

Domain Name

Enter the domain to check email authentication

Mode

DKIM Selector

Try: default, google, selector1, selector2, k1, s1

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Emails Landing in Spam?

Misconfigured SPF/DKIM/DMARC causes deliverability issues. We configure and monitor email authentication.

Learn About Email Security Explore Compliance Services

What Is Email Authentication Validation

Email authentication validation checks whether a domain has properly configured the three core email security protocols: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Together, these DNS-based protocols prevent email spoofing, phishing, and unauthorized use of your domain in email headers.

Email remains the primary attack vector for phishing and business email compromise (BEC). Without authentication protocols, anyone can send email that appears to come from your domain. SPF, DKIM, and DMARC work together to verify sender identity and instruct receiving mail servers on how to handle unauthenticated messages—making them foundational to email security.

How Email Authentication Protocols Work

SPF (Sender Policy Framework) publishes a DNS TXT record listing IP addresses and servers authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the sending server's IP against the SPF record. If the IP isn't listed, the message fails SPF.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails using a private key. The corresponding public key is published as a DNS TXT record. Receiving servers use the public key to verify the signature, confirming the message was not altered in transit and originated from an authorized sender.

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails: none (monitor), quarantine (spam folder), or reject (block entirely). DMARC also enables aggregate and forensic reporting, giving domain owners visibility into authentication results.

Protocol	DNS Record	Purpose	Authentication Method
SPF	TXT on domain	Authorize sending IPs	IP address matching
DKIM	TXT on selector._domainkey	Sign message content	Cryptographic signature
DMARC	TXT on _dmarc.domain	Set policy + reporting	Alignment of SPF/DKIM

Common Use Cases

Domain security auditing: Verify that SPF, DKIM, and DMARC are correctly configured and aligned
Email deliverability troubleshooting: Diagnose why legitimate emails land in spam folders
Vendor risk assessment: Check third-party domains for proper email authentication before trust decisions
Compliance requirements: Many frameworks (NIST, FedRAMP, CMMC) require DMARC enforcement
Brand protection: Prevent attackers from spoofing your domain in phishing campaigns targeting customers or employees

Best Practices

Deploy DMARC progressively — Start with p=none to monitor, move to p=quarantine, then p=reject once you've identified all legitimate sending sources
Include all third-party senders in SPF — Marketing platforms, CRMs, and ticketing systems all need to be in your SPF record
Keep SPF under 10 DNS lookups — The SPF specification limits DNS lookups to 10; exceeding this causes authentication failures
Rotate DKIM keys annually — Use 2048-bit keys and rotate them periodically to limit exposure from key compromise
Monitor DMARC reports — Aggregate reports reveal unauthorized senders and configuration issues; review them weekly

References & Citations

Internet Engineering Task Force (IETF). (2014). Sender Policy Framework (SPF) - RFC 7208. Retrieved from https://datatracker.ietf.org/doc/html/rfc7208 (accessed January 2025)
IETF. (2011). DomainKeys Identified Mail (DKIM) - RFC 6376. Retrieved from https://datatracker.ietf.org/doc/html/rfc6376 (accessed January 2025)
IETF. (2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC) - RFC 7489. Retrieved from https://datatracker.ietf.org/doc/html/rfc7489 (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Key Security Terms

Understand the essential concepts behind this tool

SPF (Sender Policy Framework)

Email authentication method that specifies which mail servers are authorized to send email on behalf of your domain.

Learn more →

DKIM (DomainKeys Identified Mail)

Email authentication method that uses cryptographic signatures to verify that email content has not been tampered with in transit.

Learn more →

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Email validation system that builds on SPF and DKIM to prevent email spoofing and provide reporting on email authentication failures.

Learn more →

Phishing

A social engineering attack that uses fraudulent communications to trick recipients into revealing sensitive information or installing malware.

Learn more →

View all terms in our glossary →

Frequently Asked Questions

Common questions about the Email Authentication Validator

Email authentication verifies sender identity using SPF, DKIM, and DMARC protocols. SPF lists authorized mail servers, DKIM adds cryptographic signatures, DMARC defines policy for failures. Prevents spoofing, phishing, domain impersonation. Improves deliverability - unauthenticated emails often marked spam. Required by Google/Yahoo (2024) for bulk senders. Authenticate your domain to protect brand reputation and ensure inbox delivery.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.