Enter a domain to check its SPF, DMARC, and MX records. Misconfigured email lets attackers spoof your domain and phish your users. Runs a real DNS-over-HTTPS lookup — nothing is stored.
Example: try google.com or your own domain.
Your app may also be leaking API keys, missing row-level security, or running with no error tracking. Get the full Launch Readiness Score in ~60 seconds.
Get my free scoreWithout proper email authentication records, anyone can send email pretending to be from your domain. This is how phishing attacks target your users, partners, and customers — with messages that appear to come from support@yourapp.com but originate from an attacker's server. SPF, DKIM, and DMARC are the three DNS records that prevent this.
An SPF record is a DNS TXT record that lists which mail servers are authorised to send email for your domain. When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record and rejects messages from servers not on the list. Without SPF, any server in the world can send email as your domain and pass basic spam filters.
DKIM adds a cryptographic signature to every outgoing email. The private key lives on your mail server; the corresponding public key is published as a DNS record. Receiving servers verify the signature and confirm the message was not altered in transit. DKIM survives email forwarding where SPF often fails — making it essential if your users or customers forward your transactional emails.
DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails both checks: deliver it anyway (p=none), quarantine it to spam (p=quarantine), or reject it outright (p=reject). DMARC also sends aggregate reports back to you so you can see who is sending email as your domain. Starting on p=none with reporting lets you audit your sending infrastructure before moving to enforcement.
Email authentication is a DNS configuration task, not a code task, so AI coding tools do not generate it. Founders who use Resend, SendGrid, or Postmark for transactional email often follow the quick-start guide which may not include DMARC setup. The result: a live product that sends receipts and password reset emails from a domain with no spoofing protection. Our free checker shows you exactly what is missing and what to add.