Email Security Checker

Free email security check

Enter your domain once and see your SPF, DKIM, DMARC, and enforcement status side by side. Powered by Wolferdawg IT Consulting in Lawton, Oklahoma.

What this checker reviews

This tool combines the SPF, DKIM, and DMARC lookups into a single check. Enter your domain and the checker pulls your published authentication records from public DNS, identifies common configuration problems, and assigns a posture score out of 200. Results highlight any records that are missing or misconfigured so you know exactly where to start.

If your DMARC record is missing or set to a monitor-only policy, the checker flags it in red. A domain without enforced DMARC is wide open to spoofing regardless of how clean your SPF and DKIM records are.

Email security checker common questions

What does this email security checker check?

This checker runs four DNS lookups against the domain you enter and reports the full email authentication posture in one view. It pulls your SPF record, your DMARC policy and enforcement level, your DKIM public key for the most common selectors, and your MX records. The result is a posture score and a card-by-card breakdown showing which records pass, which need attention, and what the actual published values are.

Why do I get a low score even though my SPF and DKIM pass?

SPF and DKIM only verify individual messages. DMARC is the policy that ties them together and tells receiving servers what to do when authentication fails. A domain with passing SPF and DKIM but no DMARC record, or a DMARC record set to p=none, is still wide open to spoofing. The checker weighs DMARC enforcement heavily because that is the layer that actually stops impersonation attacks against your domain.

What does it mean when DMARC enforcement fails the check?

Enforcement fails when your DMARC record is missing entirely or when the policy is set to p=none. A p=none policy is monitor-only and tells receiving servers to take no action on messages that fail authentication. Anyone can still send email pretending to be your domain and most servers will deliver it. To actually block spoofing, your DMARC record needs to be set to p=quarantine or p=reject after a monitoring period.

Why did the checker not find my DKIM record?

DKIM records are published under a selector name that is unique to each mail platform. The checker automatically tries the most common selectors including selector1 and selector2 for Microsoft 365, google for Google Workspace, and k1 for several marketing platforms. If none of those return a result, your DKIM record may use a custom selector or DKIM signing may not be enabled on your mail platform. Check your mail platform admin console for the exact selector your provider uses.

How is the DNS posture score calculated?

The score weighs each authentication record by its security impact. A passing DMARC enforcement check at p=quarantine or p=reject is worth the most because it is the layer that actually blocks spoofing. Passing SPF, DKIM, and MX checks each contribute meaningful points. Records with warnings such as DMARC at p=none or SPF approaching the ten DNS lookup limit get partial credit. The maximum score is 200 and reflects a domain with all required records published, all aligned, and DMARC actively enforcing policy.