SPF / DKIM / DMARC Checker
MX, SPF tree, DKIM key bits, DMARC, BIMI and blacklists — one audit, one score.
| Priority | Host | IPs |
|---|
⚙️ Record Generators
DKIM keys are generated by your email provider — publish theirs at selector._domainkey, then verify with the audit above.
The audit MXToolbox makes you run six separate tools for, in one click: your SPF record is expanded into its full include-tree with the exact lookup count, DKIM keys are found and sized, DMARC is parsed tag by tag (including the external-report authorization check most tools skip), BIMI is detected, and your mail servers are run against four blacklists. Fix what's missing with the built-in generators, verify your sending with the SMTP Tester, and clean your lists with the Bulk Email Verifier.
Frequently Asked Questions
What does the full email DNS audit check?
In one run: MX records with their IPs, your SPF record expanded recursively into its full include-tree with the exact DNS lookup count (the RFC limit is 10), DKIM keys across 16 common selectors with RSA key length, DMARC policy with tag-by-tag parsing and external report-address authorization, the optional BIMI logo record, and your mail servers’ IPs against 4 spam blacklists — summarized into one 0–100 health score.
Why does the SPF 10-lookup limit matter so much?
Receivers stop evaluating SPF after 10 DNS lookups and return PermError — which many treat as a failure. Every include:, a, mx, exists and redirect counts, including ones nested inside other includes. The tree view shows exactly where your lookups go, so you know which include to flatten or drop.
What is a good DKIM key length?
2048-bit RSA is the current standard; 1024-bit keys are still accepted but considered weak and some providers now warn about them. The audit estimates your key size from the published record and flags anything under 2048.
My DMARC reports go to a third-party service — why the authorization check?
When rua= points to a different domain (like a DMARC analytics service), that domain must publish a special authorization record, otherwise receivers silently drop your reports. This audit verifies the authorization actually exists — a check most free tools skip.
What do the blacklist (RBL) results mean?
Your inbound mail servers’ IPs are checked against Spamhaus ZEN, SpamCop, SORBS and PSBL. A listing on your MX usually signals a compromised or shared server with bad neighbors and deserves investigation — though inbound listings matter less than your outbound sending IP, which your email provider manages.
Why did the audit not find my DKIM key?
DKIM keys live under a selector name only your provider knows (e.g. s2025._domainkey). The audit tries 16 common selectors automatically; if yours is custom, find it in your provider’s DNS instructions or an email header (the s= tag in DKIM-Signature) and enter it in the selector field.