Email Authentication Audit: SPF, DKIM, and DMARC Verification

Email authentication is your first line of defense against spoofing and phishing. This 8-step audit verifies every authentication protocol — from SPF and DKIM to BIMI and MTA-STS — to ensure your domain is fully protected.

Authentication Audit Checklist

1
Check SPF Record
Verify your SPF record exists, has correct syntax, and includes all authorized sending sources. A missing or malformed SPF record means any server can send email as your domain.
Check SPF Record
2
Validate SPF Lookups
SPF has a hard limit of 10 DNS lookups. Exceeding this causes a permanent error (permerror) that makes SPF fail for all emails. Flatten nested includes to stay under the limit.
Flatten SPF Record
3
Check DKIM Selectors
Discover which DKIM selectors your domain uses. Each email provider typically has its own selector. Knowing your active selectors is essential before verifying keys.
Find DKIM Selectors
4
Verify DKIM Keys
For each active selector, verify the DKIM public key is published correctly in DNS and uses a strong key length (2048-bit RSA minimum). Weak or missing keys fail DKIM verification.
Check DKIM Record
5
Check DMARC Policy
Confirm your DMARC record specifies the correct policy, alignment mode, and reporting addresses. A p=none policy provides visibility but no protection — aim for p=reject.
Check DMARC Policy
6
Test BIMI Record
Check if your domain has a BIMI record that displays your brand logo in supporting email clients. BIMI requires a valid DMARC policy of p=quarantine or p=reject.
Check BIMI Record
7
Check MTA-STS
Verify your MTA-STS policy enforces TLS encryption for incoming email. Without MTA-STS, attackers can intercept email by downgrading connections to unencrypted SMTP.
Check MTA-STS
8
Run Spam Score Test
After verifying all authentication records, test your overall spam score. Proper SPF, DKIM, and DMARC alignment significantly reduces spam score and improves inbox placement.
Check Spam Score

Quick Reference

Step 1: Check SPF Record
Step 2: Validate SPF Lookups
Step 3: Check DKIM Selectors
Step 4: Verify DKIM Keys
Step 5: Check DMARC Policy
Step 6: Test BIMI Record
Step 7: Check MTA-STS
Step 8: Run Spam Score Test

Frequently Asked Questions

Do I need all three: SPF, DKIM, and DMARC?: Yes. Gmail, Yahoo, and Microsoft now require all three for bulk senders. SPF authorizes sending servers, DKIM verifies message integrity, and DMARC ties them together with a policy. Missing any one weakens your authentication.
What is the difference between DMARC alignment modes?: Relaxed alignment (the default) requires only the organizational domain to match — e.g., mail.example.com passes for example.com. Strict alignment requires an exact domain match. Relaxed is recommended unless you have specific subdomain control requirements.
Is BIMI worth implementing?: BIMI displays your brand logo next to emails in supported clients like Gmail and Apple Mail, increasing trust and open rates. It requires DMARC at p=quarantine or p=reject, plus a Verified Mark Certificate (VMC) for Gmail. It is worth implementing once your authentication is solid.

Lock Down Your Email Authentication

Complete all 8 checks to verify your domain is fully authenticated. All tools are free with no signup.

Browse All Tools

Authentication Audit Checklist

Check SPF Record

Verify your SPF record exists, has correct syntax, and includes all authorized sending sources. A missing or malformed SPF record means any server can send email as your domain.

Check SPF Record

Validate SPF Lookups

SPF has a hard limit of 10 DNS lookups. Exceeding this causes a permanent error (permerror) that makes SPF fail for all emails. Flatten nested includes to stay under the limit.

Flatten SPF Record

Check DKIM Selectors

Discover which DKIM selectors your domain uses. Each email provider typically has its own selector. Knowing your active selectors is essential before verifying keys.

Find DKIM Selectors

Verify DKIM Keys

For each active selector, verify the DKIM public key is published correctly in DNS and uses a strong key length (2048-bit RSA minimum). Weak or missing keys fail DKIM verification.

Check DKIM Record

Check DMARC Policy

Confirm your DMARC record specifies the correct policy, alignment mode, and reporting addresses. A p=none policy provides visibility but no protection — aim for p=reject.

Check DMARC Policy

Test BIMI Record

Check if your domain has a BIMI record that displays your brand logo in supporting email clients. BIMI requires a valid DMARC policy of p=quarantine or p=reject.

Check BIMI Record

Check MTA-STS

Verify your MTA-STS policy enforces TLS encryption for incoming email. Without MTA-STS, attackers can intercept email by downgrading connections to unencrypted SMTP.

Check MTA-STS

Run Spam Score Test

After verifying all authentication records, test your overall spam score. Proper SPF, DKIM, and DMARC alignment significantly reduces spam score and improves inbox placement.

Check Spam Score

Frequently Asked Questions

Do I need all three: SPF, DKIM, and DMARC?

Yes. Gmail, Yahoo, and Microsoft now require all three for bulk senders. SPF authorizes sending servers, DKIM verifies message integrity, and DMARC ties them together with a policy. Missing any one weakens your authentication.

What is the difference between DMARC alignment modes?

Relaxed alignment (the default) requires only the organizational domain to match — e.g., mail.example.com passes for example.com. Strict alignment requires an exact domain match. Relaxed is recommended unless you have specific subdomain control requirements.

Is BIMI worth implementing?

BIMI displays your brand logo next to emails in supported clients like Gmail and Apple Mail, increasing trust and open rates. It requires DMARC at p=quarantine or p=reject, plus a Verified Mark Certificate (VMC) for Gmail. It is worth implementing once your authentication is solid.