SPF & DMARC Checker

Is your domain protected against spoofing — and compliant with Gmail/Yahoo sender rules? Check in seconds.

Lookups go through our DNS-over-HTTPS proxy; only the domain name is queried. Nothing is stored.

How it works

We query the domain's TXT records over DNS-over-HTTPS and evaluate them against the standards: the SPF record (RFC 7208 — exactly one v=spf1, a restrictive all, and the 10-DNS-lookup limit) and the DMARC record at _dmarc.<domain> (RFC 7489 — policy strength, reporting, coverage). Optionally we confirm a DKIM public key exists at <selector>._domainkey.<domain>. Every finding is taken directly from the observed DNS answers — nested SPF includes are not expanded, and we say so.

FAQ

Why do Gmail and Yahoo require this now?

Since 2024 both require bulk senders to authenticate with SPF and DKIM and publish a DMARC policy — unauthenticated mail is increasingly rejected outright, not just spam-foldered.

Which should I set up first?

SPF and DKIM come first — DMARC builds on them. Then publish DMARC at p=none with rua=, watch the reports for a few weeks, and tighten to quarantine then reject.

Does p=none protect me?

No — it only collects reports. Spoofed mail still lands. It's the right first step and the wrong place to stop.

From the channel

Video thumbnail: One Open Folder Exposed 3 Microsoft 365 Phishing Ops One Open Folder Exposed 3 Microsoft 365 Phishing Ops Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸