DMARC, SPF and DKIM checker.
Enter your domain. We look up the email-authentication records that tell receiving mail servers whether a message claiming to be from you is real. Results in plain English, no signup, no follow-up email.
Five public records, plain-English read.
DMARC, SPF and DKIM work together. SPF lists who can send for your domain. DKIM cryptographically signs the messages. DMARC ties them together and tells receivers what to do when something fails.
DMARC
The TXT record at _dmarc.your-domain. Tells Gmail, Outlook, and everyone else what to do with mail that fails SPF and DKIM. Without it, a spoofed message from you@your-domaincan land in your customer's inbox and the receiving server has no policy to follow.
SPF
A TXT record at the apex listing which servers are authorised to send mail for your domain. End it with -all for hard-fail. Anything else is a soft signal a determined attacker can ignore.
DKIM
Cryptographic signing of outbound mail. The public key sits at a per-selector subdomain (e.g. default._domainkey.your-domain). We probe the six most common selectors. If your provider uses a custom selector, this tool may show DKIM as missing even though it's working.
MTA-STS
Modern protection against TLS downgrade on inbound mail in transit. Optional but a measurable improvement. Most cloud mail providers have a one-page setup guide.
Email auth is three of about thirty checks.
AttackEdge Monitoring runs DMARC, SPF, DKIM, MTA-STS, TLS, security headers, exposed admin panels, vulnerable software versions, and forgotten subdomains on a recurring schedule. Reports are plain-English for owners and technical for whoever fixes the issue.
Setup in 60 seconds · Cancel anytime
DMARC, in plain English.
- DMARC tells receiving mail servers how to handle a message that claims to come from your domain but fails SPF and DKIM checks. Without DMARC, anyone on the public internet can send mail that looks like it comes from you, and receivers have no easy way to detect it.