DKIM, SPF & DMARC Checker

Email security isn't optional — without SPF, DKIM and DMARC, your domain can be spoofed by anyone with a mail client. Phishers send invoices, password-reset emails and internal-looking memos that pass basic anti-spam checks because the receiving server has no way to verify the sender. SPF tells receivers which IPs are authorized to send mail from your domain. DKIM signs the message body with a private key so receivers can verify it wasn't tampered with. DMARC stitches SPF and DKIM together and tells receivers what to do with messages that fail (none, quarantine, or reject).

The most common mistakes our checker catches: a DMARC record with `p=none` (monitor-only — won't actually block spoofed mail), an SPF record that exceeds the 10-DNS-lookup limit (silently `permerror` — no enforcement), an SPF record with `?all` or `~all` instead of `-all` (lets unauthorized senders through), a DKIM selector that doesn't resolve, or no DMARC record at all (the default state for new domains).

We use the `checkdmarc` library — the same RFC-compliant parser used by enterprise email security tooling. The check runs against live DNS, so the result reflects what receivers see right now. To fix issues: publish an SPF record with `-all`, generate a DKIM key pair and publish the public key as a TXT record at `<selector>._domainkey.<domain>`, then publish a DMARC record at `_dmarc.<domain>` starting with `p=quarantine` (or `p=reject` once you're confident no legitimate mail is failing).

If you run a full SteelSuit scan, we go further — checking BIMI logo verification, MTA-STS policy, TLS-RPT reporting, DNSSEC chain, and whether your subdomains inherit DMARC enforcement. Free email-security check here is a fast triage; the full scan is the audit.