TOOLS / EMAIL AUTH
DMARC / SPF / DKIM Analyzer
Check a domain’s email authentication posture. We query DNS over HTTPS (Cloudflare DoH) for SPF and DMARC records on the apex, and optionally DKIM by selector.
What it does
Email authentication (SPF + DKIM + DMARC) is what stops attackers from forging your domain in phishing emails. Misconfigure any one and you lose protection. Our analyzer queries your domain’s DNS records via Cloudflare DoH, parses each record, identifies the policy (none/quarantine/reject), and grades the overall posture from A to F. For DKIM you can supply a selector — common defaults are google, k1, selector1, default — to find your published key.
How to use it
- Enter a domain (no http://, just example.com).
- Optionally provide a DKIM selector (most providers use predictable selectors like "google", "k1", "selector1").
- Click "Check".
- Review the SPF policy — ~all is soft-fail (acceptable), -all is hard-fail (best).
- Review the DMARC policy — none = monitoring only, quarantine = soft enforcement, reject = full enforcement.
Common use cases
Pre-launch email setup
Before your domain sends mail, verify SPF includes your ESP (e.g. Mailchimp, SendGrid) and DMARC is published.
Phishing-defense audit
Confirm your DMARC policy is "reject" — anything less allows spoofed emails of your domain.
Vendor due-diligence
Vendors sending mail as your domain need their senders in your SPF. Check before approving them.
Compliance verification
CISA, FBI, and many regulators now require DMARC reject. Our grade confirms compliance.
Frequently asked questions
What does each DMARC policy do? +
p=none → DMARC reports collected but no action. p=quarantine → failing mail goes to spam folder. p=reject → failing mail is rejected outright. Start with none, then ramp.
Why is my SPF "over the 10-lookup limit"? +
SPF allows max 10 DNS lookups per evaluation (RFC 7208). Each "include:" counts. If you include too many senders, your SPF will fail permerror for all evaluators.
How do I find my DKIM selector? +
Send a test email to your account, then "show original" / "view headers" — the DKIM-Signature header contains s=<selector>.
What is DMARC "rua" vs "ruf"? +
rua = aggregate reports (daily summaries). ruf = forensic reports (one per failure). Most use only rua.
Does this affect Gmail/Outlook deliverability? +
Yes. Both Google and Microsoft progressively require SPF + DKIM + DMARC for bulk senders. Without proper email auth, your domain’s email gets flagged or rejected.
Related tools
DNS Records Lookup
All 8 record types in one card. Powered by Cloudflare DNS-over-HTTPS.
Email Header Analyzer
Trace the Received: hop chain. Surface SPF/DKIM/DMARC verdicts. Flag spoof patterns.
WHOIS / RDAP Lookup
Modern WHOIS via RDAP. Registration date, registrar, nameservers, plus "newly registered" flag.
Related coverage on Ciphers Security
- Instructure Removed from ShinyHunters' Leak Site as Canvas Breach Deadline Passes
- Costa Rica Joins Have I Been Pwned as the 42nd Government
- LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures
- Operation HookedWing: 4-Year Phishing Campaign Hits 500+ Organizations Across Aviation, Energy, and Logistics
- Vercel's v0.dev AI Tool Weaponized for Phishing Campaigns Targeting Microsoft, Nike Users
Free for everyone, no signup required. Tool runs at /tools/email-auth-checker/ — bookmark or share.