Query.Domains
Pricing

Email Domain Checker

Inspect MX, SPF, DMARC, and DKIM for any domain — get a deliverability grade and concrete fixes for what's misconfigured.

Examples:

Why email auth matters now

Since 2024, Gmail and Yahoo enforce mandatory authentication for any sender shipping more than 5,000 messages a day. Microsoft has tightened in parallel. The practical effect: if your domain doesn't pass SPF or DKIM and doesn't publish DMARC, your invoices, password resets, and marketing emails will get filed as spam — or rejected outright. This tool reads the four DNS configurations that mailbox providers actually check, and grades them honestly.

Each layer answers a specific question:

  • MX — "Where does mail to this domain go?" Without MX records, no one can email you.
  • SPF — "Which IPs are allowed to send from this domain?" An SPF record lists authorized servers and an "all" fallback (-all for hard reject, ~all for soft fail).
  • DKIM — "Is this message cryptographically signed by a key the domain published?" DKIM proves the message wasn't modified in transit and was signed by an authorized service.
  • DMARC — "If SPF and DKIM disagree about whether this message is legit, what should the receiver do?" DMARC ties SPF and DKIM together and publishes a policy: none (monitor only), quarantine (junk it), or reject (bounce it).

Reading the grade

We compute a 0–100 deliverability score with the following weights:

  • MX records present — 25 points. Without MX, nothing else matters; the grade caps at F.
  • SPF policy at ~all or -all25 points. +all or missing earns 0.
  • DMARC policy strength — up to 30 points. reject = 30, quarantine = 22, none = 8, missing = 0.
  • DKIM selectors detected — up to 20 points. We probe a curated list of common selectors (google, selector1, k1, etc.); finding any earns 10, more selectors earn slightly more.

The DKIM probe is best-effort: if your provider uses a non-standard selector (some custom Mailgun setups), we may show "not detected" even when DKIM is correctly configured. The fix: ask your mail provider for the selector name and verify the TXT record yourself.

The most common misconfigurations (and how to fix them)

  1. SPF includes are too long. Each include: in an SPF record adds DNS lookups; the protocol caps at 10. If you include Google + Mailgun + a CRM + a marketing tool, you can hit the limit and trigger permerror. Fix: flatten with spf-flatten tools, or consolidate senders. Many companies hit this when adding their fifth SaaS sender.
  2. DMARC is published but reports nowhere. A DMARC record without a rua= tag works, but you lose the operational visibility — you'll never see who's sending mail claiming to be your domain. Add an aggregate reporting address (your own, or a free service like Valimail or dmarcian).
  3. DMARC stuck at p=none forever. "Monitor mode" is the right starting point — it prevents you from breaking legitimate mail. But many companies leave it there indefinitely, which is roughly equivalent to having no DMARC at all from a deliverability perspective. After 4–6 weeks of clean reports, advance to p=quarantine, then p=reject.
  4. SPF says ~all but DMARC says p=reject. The two policies disagree. Aligned senders pass; unaligned senders are softfailed by SPF but hardrejected by DMARC. This is usually intentional and correct — DMARC is the higher authority and SPF is just one input — but worth understanding.
  5. BIMI without DMARC reject. BIMI lets you publish your logo for inbox display. It requires DMARC at quarantine or reject with pct=100. If your marketing team is asking why your BIMI isn't showing up, the answer is almost always "advance the DMARC policy first".

Provider-specific quirks

  • Google Workspace: SPF should include _spf.google.com. DKIM uses selector google by default; the key has to be enabled in the admin console after the DNS record is added.
  • Microsoft 365: SPF should include spf.protection.outlook.com. DKIM uses selector1 and selector2, both as CNAME records pointing to selectorN-yourtenant._domainkey.yourtenant.onmicrosoft.com.
  • Zoho: SPF should include zoho.com; DKIM selector is zoho.
  • Forwarders (ImprovMX, ForwardEmail): if you only forward (don't send), MX is required but SPF for sending may not be. Forwarding services typically rewrite the envelope sender (SRS) so SPF on incoming forwards passes via the forwarder's domain.
  • Transactional (SendGrid, Mailgun, Postmark, Amazon SES): these need both SPF includes (or an authenticated sending subdomain) and CNAME-based DKIM records the provider gives you. They typically run on a subdomain (mail.yourbrand.com) so the parent SPF stays clean.
  • Cloudflare Email Routing: a free forwarding service. Adds Cloudflare's MX records and a TXT record for SPF. No DKIM signing because forwarding doesn't need it.

What this tool does NOT check

  • BIMI. We don't currently look up default._bimi. If you need BIMI verification, use BIMI Group's tool.
  • MTA-STS / TLS-RPT. Encryption-policy records that go alongside DMARC. We may add these in a future iteration.
  • Spam blocklists. Whether your sending IPs are on Spamhaus or other blocklists is a separate question; MXToolbox covers that well.
  • Sending reputation. Google Postmaster Tools and Microsoft SNDS show you the actual delivery numbers from those providers — a much better signal than DNS alone.
  • Reverse DNS / PTR for sending IPs. Important for ESP-grade sending; outside the scope of a domain check.

How to graduate from F to A

  1. Add MX records (your provider gives you the values).
  2. Add SPF with the right include: for your provider, ending in ~all or -all.
  3. Add DKIM (CNAME or TXT records, provider-specific).
  4. Add DMARC with p=none and rua=mailto:reports@yourdomain.com. Watch reports for 2–4 weeks.
  5. Advance DMARC to p=quarantine with pct=25. Watch for 2 weeks. Increase pct to 50, 75, 100.
  6. Advance to p=reject. You're now at A.

Frequently Asked Questions

I have SPF, DKIM, and DMARC set up. Why is my mail still going to spam?

Authentication is the floor, not the ceiling. Beyond DNS, deliverability depends on your sender reputation (IP and domain), engagement signals (open and reply rates), content quality, and complaint rates. A perfectly authenticated message that 80% of recipients mark as spam will get filtered. Use Google Postmaster Tools and Microsoft SNDS to see your actual reputation numbers.

What's the difference between SPF's ~all and -all?

~all tells receivers "be suspicious of unauthorized senders, but probably still deliver" (softfail). -all says "reject unauthorized senders entirely" (hardfail). Most providers recommend ~all for the first month while you discover all your legitimate sending services, then graduate to -all. The downside of -all is that any legitimate sender you forgot to authorize gets bounced.

Why does my DMARC report show mail from random IPs claiming to be my domain?

That's exactly what DMARC is designed to surface. Some are forwarders (mailing lists, vacation auto-replies forwarding to a different mailbox); some are spoofers. Aggregate reports group by IP and show the volume — high-volume unfamiliar IPs are usually spoofers, low-volume ones are usually forwarders. Don't advance to p=reject until you've identified all forwarders and decided how to handle them.

Can I use this tool on a domain I don't own?

Yes — all the data we read is public DNS, the same data any mail server checks before delivering a message. There's no privacy issue. Common use cases: vetting a vendor before signing up, debugging why a partner's mail bounces, due diligence on an acquisition target.

Why is DKIM "not detected" when I know my provider has it set up?

We probe a curated list of common selectors (google, selector1, k1, s1, default, etc.). If your provider uses a custom selector — common with Mailgun, custom SES setups, or rotating selectors — we won't find it without knowing the name. The fix on our end is letting you specify a selector to check. The fix on your end is grabbing the selector from your mail provider and verifying with dig.

What does the percentage in DMARC mean?

pct=N tells receivers to apply the policy to N% of messages and treat the remaining (100-N)% as if the policy were one notch lower. It's a ramp control. If p=quarantine; pct=25, then 25% of failing messages get junked and 75% are treated as p=none (monitor only). Use it to slowly increase enforcement without breaking legitimate mail in one day.

I'm a small business, do I really need this?

For receiving — you need MX records or you can't receive at all. For sending — if you only ever send from Gmail/Outlook with a Google Workspace / Microsoft 365 account that signs everything correctly, much of this is set up for you. The trouble starts when you add a second sender (newsletter tool, e-commerce platform, support helpdesk) without updating SPF. From that day forward, half your mail will fail authentication. This tool catches it early.

How does this differ from MXToolbox or DMARCian?

MXToolbox is a deeper diagnostic suite with paid features for blocklist monitoring and ongoing alerts. DMARCian specializes in DMARC report parsing — its real value is in the dashboards once you have DMARC reports flowing. This tool is a fast read-only check: paste a domain, get a grade, see what to fix. Use it for triage; use the others for ongoing operations.

Why does the grade include MX as 25 points if it just means email exists?

Because without MX, the rest is meaningless. A domain with SPF and DMARC but no MX is a sending-only domain (which is fine for transactional setups), but anyone replying to that mail bounces — which is a deliverability problem in itself. We weight MX presence heavily to make this visible at the top of the grade.

Related domain tools

Domain to IP Lookup
View all DNS records (A, AAAA, CNAME, NS, CAA).
Subdomain Finder
Discover subdomains via certificate transparency.
Domain Age Checker
WHOIS history including registrar.
Domain Expiry Checker
Make sure the domain isn't about to expire on you.
Bulk Domain Search
Bulk-check related domain candidates.
Domain Value Checker
Estimate fundamentals of a sending domain.