SPF, DKIM & DMARC Analyzer

Paste an SPF, DKIM, or DMARC TXT record. Get a plain-English breakdown of every mechanism and tag, an SPF lookup count against the 10-lookup limit, and a flag on the weak settings that let spoofers through. This lints syntax in your browser; it does not query DNS.

Record(s) — one per line

What SPF, DKIM, and DMARC actually do

Three records, one goal

Together these DNS records let a receiving server decide whether a message really came from your domain. SPF lists which servers are allowed to send mail for your domain. DKIM publishes a public key so receivers can verify a signature your outbound mail server added. DMARC ties the visible From address to SPF or DKIM passing, and tells receivers what to do when a message fails and where to send reports.

The SPF 10-lookup limit

Evaluating an SPF record may not require more than 10 DNS lookups (RFC 7208). Mechanisms like include, a, mx, ptr, exists, and the redirect modifier each cost a lookup, and an include can pull in more from the target record. Exceed the limit and SPF returns permerror, which usually means it stops protecting you. This tool counts the lookups visible in the record itself; it cannot follow includes, so the real total may be higher.

The settings that matter

For SPF, the final all mechanism is the verdict for everything not explicitly allowed: -all hard-fails, ~all soft-fails, ?all is neutral, and +all authorizes the entire internet (almost always a mistake). For DMARC, p=none only monitors and does not stop spoofing, while quarantine and reject actually act. A DKIM record with an empty p= is a revoked key.

Lint, not lookup

This checks the record you paste. To see the records a live domain actually publishes, use the DNS Lookup tool, which queries them and also reports SPF and DMARC posture.