SPF & DMARC Checker
Is your domain protected against spoofing — and compliant with Gmail/Yahoo sender rules? Check in seconds.
Lookups go through our DNS-over-HTTPS proxy; only the domain name is queried. Nothing is stored.
How it works
We query the domain's TXT records over DNS-over-HTTPS and evaluate them against the standards:
the SPF record (RFC 7208 — exactly one v=spf1, a restrictive all, and the
10-DNS-lookup limit) and the DMARC record at _dmarc.<domain> (RFC 7489 — policy
strength, reporting, coverage). Optionally we confirm a DKIM public key exists at
<selector>._domainkey.<domain>. Every finding is taken directly from the
observed DNS answers — nested SPF includes are not expanded, and we say so.
FAQ
Why do Gmail and Yahoo require this now?
Since 2024 both require bulk senders to authenticate with SPF and DKIM and publish a DMARC policy — unauthenticated mail is increasingly rejected outright, not just spam-foldered.
Which should I set up first?
SPF and DKIM come first — DMARC builds on them. Then publish DMARC at p=none with
rua=, watch the reports for a few weeks, and tighten to quarantine then
reject.
Does p=none protect me?
No — it only collects reports. Spoofed mail still lands. It's the right first step and the wrong place to stop.
From the channel
One Open Folder Exposed 3 Microsoft 365 Phishing Ops
Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸
weekly kev brief
Patch what's actually being exploited.
One email a week: the vulnerabilities under active attack, prioritized — no noise.
Free. No spam. Unsubscribe anytime. Delivered by Beehiiv.