SPF · DKIM · DMARC
Check a domain's email authentication
See whether a domain has SPF, DKIM, and DMARC set up — the DNS records that stop scammers from spoofing email from that domain — and get an overall grade. We also check DNSSEC, CAA, and MTA-STS.
How this check works
- Cactus looks up public DNS records (TXT) for the domain and a few common DKIM selectors. No email is sent or read.
- Everything checked here is public DNS data that any mail server can see.
- Nothing you enter is stored. Enter a domain (for example example.com) or an email address.
Frequently asked questions
What are SPF, DKIM, and DMARC?
They're DNS records that prove an email really came from a domain and stop spammers from spoofing it. DMARC ties SPF and DKIM together and tells receivers what to do with fakes.
How do I check if my domain can be spoofed?
Enter your domain here. We look up its SPF, DKIM, and DMARC records and explain whether they protect against impersonation.
What are DNSSEC, CAA, and MTA-STS?
Extra DNS protections. DNSSEC cryptographically signs a domain's DNS so answers can't be forged; CAA limits which authorities may issue its TLS certificates; MTA-STS forces inbound email to use encryption. We report whether each is published.