SPF · DKIM · DMARC

Check a domain's email authentication

See whether a domain has SPF, DKIM, and DMARC set up — the DNS records that stop scammers from spoofing email from that domain — and get an overall grade. We also check DNSSEC, CAA, and MTA-STS.

How this check works
  • Cactus looks up public DNS records (TXT) for the domain and a few common DKIM selectors. No email is sent or read.
  • Everything checked here is public DNS data that any mail server can see.
  • Nothing you enter is stored. Enter a domain (for example example.com) or an email address.

You're viewing a shared result.

Email authentication

cactus.net

How well this domain is protected against email spoofing.

A

Auth grade

What this means
  • At least one DKIM signing key was found.

Sender Policy Framework

Present
Policy
Strict — unauthorized senders are rejected (-all)
DNS lookups used
1 of 10 allowed

DMARC policy

Present
Policy
Reject — spoofed mail is blocked (strongest)
Aggregate reporting (rua)
Present

DomainKeys Identified Mail

Present
Selectors found
selector1, selector2

Extra

Extra DNS hygiene

  • DNSSEC Missing

    Not detected. DNSSEC signs DNS records so they can't be forged in transit. Many domains still don't use it.

  • CAA records Missing

    Not found. CAA records restrict which certificate authorities can issue certificates for your domain — a useful safeguard.

  • MTA-STS Missing

    Not detected. MTA-STS forces inbound email to use encryption, blocking downgrade attacks. (We check the DNS record only, not the policy file.)

  • TLS reporting (TLS-RPT) Missing

    Not found. TLS-RPT collects reports about failed encrypted email delivery — useful alongside MTA-STS.

Important limitation

This reflects the domain's published DNS policy right now. A strong policy makes spoofing harder but does not guarantee every message is legitimate, and DKIM is detected only for common selectors.