What Is an Email DNS Check?
An email DNS check analyzes the DNS records that control how email is sent, received, and authenticated for your domain. Misconfigured records can cause emails to land in spam, bounce, or allow attackers to send emails pretending to be from your domain.
This tool checks 14 aspects of your email DNS configuration in seconds, including MX records, SPF, DKIM, DMARC, MTA-STS, BIMI, TLS-RPT, SMTP TLS, open relay status, PTR records, and more.
Why SPF, DKIM, and DMARC Matter
These three protocols form the foundation of email authentication. Major email providers like Gmail, Outlook, and Yahoo now require proper authentication — domains without it face significantly higher spam filtering rates.
- SPF (Sender Policy Framework) — Defines which IP addresses are authorized to send email for your domain. Prevents unauthorized servers from sending as you.
- DKIM (DomainKeys Identified Mail) — Adds a cryptographic signature to every email, proving the message wasn't altered in transit.
- DMARC (Domain-based Message Authentication) — Ties SPF and DKIM together with a policy. Tells receiving servers whether to reject, quarantine, or allow unauthenticated messages.
How Email Authentication Works
When someone sends an email from your domain, the receiving mail server performs a series of DNS lookups to verify the sender's legitimacy:
- MX lookup — Finds which servers handle email for your domain.
- SPF check — Queries the TXT record at your domain to see if the sending IP is authorized.
- DKIM verification — Retrieves the public key from a
selector._domainkey.yourdomain.comTXT record and verifies the email's signature. - DMARC evaluation — Checks the
_dmarc.yourdomain.comTXT record for the domain's policy, then applies it based on SPF/DKIM results. - MTA-STS check — Looks up the
_mta-stsTXT record and fetches the HTTPS policy to enforce transport encryption.
Frequently Asked Questions
What is an email DNS check?
An email DNS check analyzes the DNS records associated with your domain's email configuration, including MX records (mail routing), SPF (sender authorization), DKIM (email signing), DMARC (policy enforcement), MTA-STS (transport security), and BIMI (brand display). It identifies misconfigurations that could cause delivery failures or allow email spoofing.
Why do SPF, DKIM, and DMARC matter?
SPF, DKIM, and DMARC are the three pillars of email authentication. SPF specifies which servers can send email for your domain. DKIM adds a cryptographic signature to verify messages haven't been tampered with. DMARC ties them together with a policy that tells receivers what to do with unauthenticated emails. Without all three, your emails are more likely to land in spam, and your domain is vulnerable to spoofing and phishing attacks.
What is a good email DNS score?
A score of 8 or above out of 10 indicates a well-configured domain. Key factors include having valid MX records, a strict SPF policy (-all), DKIM signing enabled, DMARC set to quarantine or reject, and MTA-STS for transport encryption. Scores below 6 indicate significant gaps that could affect email deliverability and security.
How often should I check my email DNS?
Check your email DNS whenever you change email providers, update DNS records, or modify your mail server configuration. Regular monthly checks are recommended to catch expired certificates, misconfigured records, or policy drift. Automated monitoring is ideal for production domains.
Is this tool free?
Yes, completely free with no sign-up required. We use a lightweight proof-of-work system instead of CAPTCHAs to prevent abuse while keeping the tool accessible to everyone.