How to Check If Your Email Is Protected with SPF, DKIM and DMARC

May 24, 20268 min read

If you own a domain and use email, you need three DNS records to keep your messages out of spam folders and prevent impersonation: SPF, DKIM, and DMARC. Without them, anyone can send forged emails from your domain (phishing, spoofing).

This guide walks you through checking whether your domain has them configured correctly using the Email Security Checker from SecuriTool, and how to interpret each result.

✅ Open the checker in another tab while you read:

Email Security Checker →

What Are SPF, DKIM, and DMARC?

These three email authentication mechanisms work together. None is sufficient on its own:

Record	What It Does	What It Protects Against
SPF	Lists the servers authorized to send email for your domain	Anyone sending from an unauthorized IP
DKIM	Digitally signs emails with a public key in your DNS	Message tampering in transit
DMARC	Tells receivers what to do when SPF or DKIM fail (none/quarantine/reject)	Direct domain spoofing and phishing

Step 1: Open the Email Security Checker

Navigate to the Email Security Checker. You will see a single input field for a domain name.

Important: The entire analysis runs in your browser via DNS-over-HTTPS. No data is sent to any server — not your domain, not the results.

Step 2: Enter Your Domain

Type the domain you want to check (for example, example.com) and click "Check". The tool queries DNS records and displays results within seconds.

Step 3: Interpret the Results

SPF

A correct SPF record looks like this:

v=spf1 include:_spf.google.com ~all

What to look for:

✅ Pass: A valid SPF record exists. You will see the list of authorized servers.
⚠️ SoftFail or ~all: SPF exists but is not strict — unauthorized servers are marked as suspicious but not rejected.
❌ Not found: No SPF record. Your emails can be spoofed trivially.
❌ Error: Too many DNS lookups (exceeds 10). Many receivers will ignore the SPF entirely.

🔧 How to Fix SPF

For Google Workspace, add this TXT record to your DNS:

v=spf1 include:_spf.google.com ~all

For Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

Once verified, change ~all to -all to reject unauthorized senders.

DKIM

DKIM requires two parts: a public key in your DNS (generated by your email provider) and signing enabled on your mail server.

What to look for:

✅ Valid: A DKIM key was found with correct format. The selector and key details are shown.
⚠️ Weak: The key uses RSA 1024-bit or less. Consider upgrading to 2048-bit.
❌ Not found: No DKIM record. Generate one from your email provider and add it to DNS.

🔧 How to Set Up DKIM

In Google Workspace: Admin → Apps → Gmail → Authenticate email → Generate new record. Copy the TXT record to your DNS.

In Microsoft 365: Admin portal → Exchange → Protection → DKIM → Enable and rotate keys.

DMARC

DMARC is the policy that decides what happens when SPF or DKIM fail. Without DMARC, attackers can spoof your domain even if you have SPF and DKIM.

A typical DMARC policy:

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

What to look for:

✅ Pass: DMARC is configured with a policy. The tool displays the active policy.
⚠️ Monitoring (p=none): DMARC exists but enforces nothing. Useful for initial testing, but does not actively protect.
❌ Not found: No DMARC record. No spoofing protection.

Policy	Meaning	When to Use
`p=none`	Monitor only, no blocking	First few days to ensure no false positives
`p=quarantine`	Suspicious emails go to spam	Transition phase after monitoring
`p=reject`	Emails failing SPF/DKIM are rejected	Goal state. Full protection

🔧 How to Implement DMARC Gradually

Week 1: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com — observe only
Week 2: Review DMARC reports (sent to the rua email). If clean, escalate to p=quarantine
Week 3: Move to p=reject — full spoofing protection

BIMI (Bonus)

BIMI displays your brand logo next to verified emails in Gmail and Apple Mail. The tool checks this too.

Requirements for BIMI:

DMARC set to p=reject or p=quarantine
Logo in SVG format hosted on your domain
Optional VMC (Verified Mark Certificate)

Complete Example

Here is what results look like for a well-configured domain:

📧 Email Security Report — example.com

╔════════════════════════════════════╗
║ SPF:  ✅ Pass                      ║
║       v=spf1 include:_spf.google.com ~all ║
╠════════════════════════════════════╣
║ DKIM: ✅ Valid (selector: google)  ║
║       RSA 2048 bits                ║
╠════════════════════════════════════╣
║ DMARC: ✅ Pass (p=reject)          ║
║       rua: mailto:dmarc@example.com║
╠════════════════════════════════════╣
║ BIMI: ✅ Logo found                ║
║       selectors: google,_domainkey ║
╚════════════════════════════════════╝
📊 Grade: A+

The overall Grade summarizes the state of all three mechanisms. An A or A+ means all three are properly configured.

FAQ

How often should I check my configuration?

At least once a month. Email providers change their servers (Google, Microsoft) and your records may become outdated. Also check after changing email providers or hosting.

Can I have SPF without DMARC?

Yes, but it is not recommended. DMARC is the only mechanism that tells the receiver what to do when SPF or DKIM fails. Without it, each server decides independently — and many will still deliver fraudulent email.

What does "too many DNS lookups" mean in SPF?

The standard allows a maximum of 10 DNS lookups per SPF check. Each include:, redirect=, or mx counts as one. If you exceed 10, servers may ignore your SPF entirely.

Does the checker store my domain?

No. All analysis runs in your browser via DNS-over-HTTPS. No data is sent to any server. Verify this by opening developer tools (F12 → Network tab) while running a check.

Conclusion

SPF, DKIM, and DMARC are the foundation of email security. Configuring them correctly protects your domain against spoofing, improves deliverability, and is a requirement for any organization using professional email.

Use the Email Security Checker to test your domain now — it takes under a minute and is completely private.

🔍 Check your domain now:

Email Security Checker →

Published May 24, 2026 · Practical Guide · SecuriTool