myipcat.com — Tank myipcat
Home  /  Tools  /  Email Health

Email Domain Health Check

One-shot diagnostic for any domain's email setup. Checks MX, SPF, DMARC, and DKIM in parallel and tells you exactly what's misconfigured, with severity-tagged findings. Built by a network admin, for network admins.

DKIM selector: Leave blank to auto-check 19 common selectors (default, google, selector1, mail, etc.). If your provider uses a custom selector (e.g. 20240101, fm1, k1), enter it here.
Status

About this tool

What gets checked

Four core email-authentication records, in parallel:

  • MX records — Mail exchangers for the domain. Without these, the domain can't receive mail. Multiple MXes (with different priorities) provide redundancy.
  • SPF (Sender Policy Framework) — TXT record listing IPs/hostnames authorized to send mail as the domain. Lives at the apex (e.g. example.com). Must end with ~all or -all to be effective.
  • DMARC (Domain-based Message Authentication) — Policy record at _dmarc.example.com. Tells receivers what to do when SPF/DKIM fail. The strongest setting is p=reject; p=none is monitor-only.
  • DKIM (DomainKeys Identified Mail) — Public-key signing record at {selector}._domainkey.example.com. Selectors aren't discoverable from DNS — the tool tries 19 common ones (Google, Microsoft, Mailchimp, Mandrill, Proton, etc.). Provide a custom selector if you know yours.

What the severities mean

  • OK (green) — record exists and follows best practices.
  • Warning (yellow) — record works but has issues that could affect deliverability or security (e.g., DMARC p=none, single MX, soft-fail SPF).
  • Error (red) — record missing, broken, or actively harmful (e.g., no DMARC, multiple SPF records, +all).

Common DKIM selectors auto-checked

If you don't provide a selector, the tool queries: default, google, mail, s1, s2, selector1, selector2, k1, k2, dkim, email, mandrill, mailchimp, protonmail1-3, mxvault, sm, mta. If your domain uses a different selector (rotating selectors, custom names like 20240101, etc.), enter it manually.

Why this beats running the lookups individually

You could run dig MX example.com, dig TXT example.com, dig TXT _dmarc.example.com, dig TXT default._domainkey.example.com separately. But:

  • You'd have to know the relationship between SPF/DMARC/DKIM by heart
  • You'd have to remember which selectors to try for DKIM
  • You'd have to interpret each record manually (does ~all mean strict? Is p=quarantine good?)
  • You wouldn't catch issues like multiple SPF records, SPF DNS-lookup limits, or DMARC pct= percentages

This tool does all of that in 1-2 seconds and explains what each finding means.

Privacy note

Domain lookups happen server-side via Cloudflare DNS-over-HTTPS. We don't log queries. Anyone who can run dig can already see this data — it's all public DNS records.