SPF & DMARC Checker

Check your email security records instantly. Validate SPF and DMARC configuration, detect misconfigurations, and get a security grade — free, no signup required.

What does this tool check?

SPF Record

Validates your SPF record exists, is correctly formed, and uses a restrictive "all" mechanism to block unauthorised senders.

DMARC Record

Checks your DMARC policy, enforcement level (none / quarantine / reject), coverage percentage, and reporting address.

Security Grade

An overall A–F grade based on how well your domain is protected: A = SPF pass + DMARC reject, F = no SPF record.

Issue Detection

Identifies specific misconfigurations like missing records, permissive policies, and incomplete coverage with actionable fixes.

Frequently Asked Questions

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. When an email arrives, the receiving mail server checks your SPF record to verify the sending server is allowed. Without SPF, spammers can easily forge emails that appear to come from your domain.

What is DMARC and why do I need it?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record that tells receiving mail servers what to do when an email fails SPF or DKIM checks — either monitor (none), quarantine to spam, or reject it outright. DMARC also enables reporting so you can see who is sending email from your domain. Without DMARC, even a correctly configured SPF record provides limited protection against phishing.

What does DMARC p=none mean?

A DMARC policy of p=none means the record is in monitoring mode only. Emails that fail authentication are still delivered normally, but reports are sent to the address in the "rua" tag. This is a good starting point to understand your email sending patterns, but it provides no protection. You should aim to progress to p=quarantine and eventually p=reject once you are confident all legitimate email is passing.

How do I fix a missing SPF record?

Log in to your domain registrar or DNS provider and add a TXT record at your root domain (@). The value should be something like "v=spf1 include:yourmailprovider.com -all". Replace "yourmailprovider.com" with the include provided by your email service (e.g., Google Workspace uses include:_spf.google.com). The "-all" at the end means reject all other senders. Once added, changes propagate within minutes to 48 hours.

What is the difference between ~all and -all in SPF?

The "~all" (softfail) mechanism means that emails from unlisted servers should be accepted but marked as suspicious. The "-all" (hardfail) mechanism instructs receiving servers to reject emails from unlisted servers outright. For maximum protection, use "-all". Use "~all" only if you are transitioning and need time to identify all your legitimate sending servers first.

Monitor SPF & DMARC changes automatically

Uptrue's SPF/DMARC validity monitoring watches your authentication records and alerts you the moment something shifts. Pair it with MX health monitoring so a broken mail flow never goes unnoticed — protecting your domain reputation before attackers exploit it.

Start Monitoring Free