Skip to main content
New SPF lookups must resolve in milliseconds — why a DMARC tool's add-on isn't enough Learn Why → →

Domain Authentication Checker

Check SPF, DMARC, BIMI, MTA-STS, and TLS-RPT records for any domain - free.

All 5 protocols checked simultaneously - no signup required

Checks SPF, DMARC, BIMI, MTA-STS, and TLS-RPT records simultaneously.

Protocol Deep Dive

Understanding Email Authentication Protocols

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email for your domain. It works by publishing a DNS TXT record that lists approved IP addresses and hostnames. Receiving servers check this record to verify that incoming mail comes from an authorized source.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving mail servers what to do when neither authentication method passes - reject, quarantine, or allow the message. It also enables aggregate and forensic reporting so domain owners can monitor authentication results.

BIMI (Brand Indicators for Message Identification)

BIMI lets organizations display their brand logo next to authenticated emails in supporting email clients. It requires a valid DMARC policy (quarantine or reject) and optionally a Verified Mark Certificate (VMC) for logo display in Gmail and Apple Mail.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS tells sending mail servers that your domain requires TLS encryption for email delivery. It prevents downgrade attacks and man-in-the-middle interception by publishing a DNS record and a policy file that mandate encrypted connections.

TLS-RPT (TLS Reporting)

TLS-RPT enables receiving mail servers to report TLS connection failures back to you. When combined with MTA-STS, it provides visibility into delivery problems caused by certificate errors, expired certificates, or misconfigured encryption.

Complete Protection

Why All 5 Protocols Matter

Anti-Spoofing

SPF + DMARC prevent unauthorized senders from impersonating your domain.

Encryption

MTA-STS + TLS-RPT ensure email is encrypted in transit and report failures.

Brand Trust

BIMI displays your logo in the inbox, increasing recipient confidence and open rates.

Running the Audit

How to Run a Complete Email Authentication Audit

Email authentication isn't one setting - it's five DNS records that work as a stack. This checker pulls all of them at once so you can see the whole picture instead of chasing one record at a time. Here's how to read that audit and fix it in the right order.

What a Full Audit Covers

A complete check looks at SPF (which servers may send), DKIM (a signature proving messages weren't altered), DMARC (the policy tying SPF and DKIM to your From domain), MTA-STS (enforced TLS encryption in transit), and TLS-RPT (reporting on encryption failures). A domain can pass one and fail the rest, so auditing them together is the only way to know you're actually protected.

Reading Your Results: Healthy vs Broken

  • SPF - present, valid, and under ten DNS lookups. A PermError here quietly breaks DMARC.
  • DMARC - present at _dmarc, with a policy stronger than p=none and a reporting address.
  • DKIM - at least one active selector publishing a strong (2048-bit) key.
  • MTA-STS / TLS-RPT - a published policy enforcing TLS, plus an address to receive failure reports.

The Order to Fix Things

Work bottom-up, because each layer depends on the one beneath it. Start with SPF - it's the foundation, and DMARC can't enforce without a passing, aligned SPF or DKIM result. Next confirm DKIM signing. Then raise your DMARC policy from none toward reject. Only then add transport security with MTA-STS and TLS-RPT, and finally BIMI to show your logo - which requires enforced DMARC to work at all.

Where Domains Most Often Fail

  • SPF over the 10-lookup limit - the single most common failure, and the one AutoSPF fixes automatically by flattening your includes.
  • DMARC stuck at p=none - published but never enforced, so it offers no protection.
  • No MTA-STS - mail still delivers, but without protection against downgrade attacks.
  • BIMI without a VMC - the logo won't display in Gmail or Apple Mail without a Verified Mark Certificate.

Re-run this audit whenever you add a sending service or change providers, and fix each layer with its dedicated tool linked above. Getting SPF right is the prerequisite for everything else - AutoSPF keeps it valid and under the lookup limit so the rest of your stack has a solid base.

Need help fixing your email authentication?

AutoSPF automatically flattens SPF records and keeps your email authentication aligned. Setup takes 60 seconds.

Rated 5/5 on G2 · Trusted since 2018

What Our Customers Say

"AutoSPF Flattens SPF Records Seamlessly & Keeps Changes Logged - I am quite pleased with the product"

It does what it promises to do, and does it very well. I appreciate that it keeps a log of changes made, which prevents many mistakes. A client's SPF record would have way too many lookups, but AutoSPF makes that problem go away. The length of the SPF record is typically not the issue; it's the amount of lookups in the record that are. AutoSPF "flattens" the record, automatically expanding the defined lookups to IP addresses or ranges. And it auto-updates the record when the un-flattened lookups change.
PJ

Peter J.

President · Small-Business (50 or fewer emp.)

"Helped us go beyond capacity"

AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
VU

Verified User

Financial Services · Mid-Market (51-1000 emp.)