Email Domain Health Check
One-shot diagnostic for any domain's email setup. Checks MX, SPF, DMARC, and DKIM in parallel and tells you exactly what's misconfigured, with severity-tagged findings. Built by a network admin, for network admins.
About this tool
What gets checked
Four core email-authentication records, in parallel:
- MX records — Mail exchangers for the domain. Without these, the domain can't receive mail. Multiple MXes (with different priorities) provide redundancy.
- SPF (Sender Policy Framework) — TXT record listing IPs/hostnames authorized to send mail as the domain. Lives at the apex (e.g.
example.com). Must end with~allor-allto be effective. - DMARC (Domain-based Message Authentication) — Policy record at
_dmarc.example.com. Tells receivers what to do when SPF/DKIM fail. The strongest setting isp=reject;p=noneis monitor-only. - DKIM (DomainKeys Identified Mail) — Public-key signing record at
{selector}._domainkey.example.com. Selectors aren't discoverable from DNS — the tool tries 19 common ones (Google, Microsoft, Mailchimp, Mandrill, Proton, etc.). Provide a custom selector if you know yours.
What the severities mean
- OK (green) — record exists and follows best practices.
- Warning (yellow) — record works but has issues that could affect deliverability or security (e.g., DMARC
p=none, single MX, soft-fail SPF). - Error (red) — record missing, broken, or actively harmful (e.g., no DMARC, multiple SPF records,
+all).
Common DKIM selectors auto-checked
If you don't provide a selector, the tool queries: default, google, mail, s1, s2, selector1, selector2, k1, k2, dkim, email, mandrill, mailchimp, protonmail1-3, mxvault, sm, mta. If your domain uses a different selector (rotating selectors, custom names like 20240101, etc.), enter it manually.
Going further: who registered this domain?
If you're investigating a domain whose mail config you don't recognize — a customer's vendor, a phishing sender, an old domain you found in DNS — pair this tool with the WHOIS Lookup. It tells you which registrar the domain was bought through, when it was registered, and when it expires. A domain registered three days ago with no SPF and no DMARC is almost always a phishing operation; a 15-year-old domain at a reputable registrar with broken SPF is just an admin who needs to fix their config.
Why this beats running the lookups individually
You could run dig MX example.com, dig TXT example.com, dig TXT _dmarc.example.com, dig TXT default._domainkey.example.com separately. But:
- You'd have to know the relationship between SPF/DMARC/DKIM by heart
- You'd have to remember which selectors to try for DKIM
- You'd have to interpret each record manually (does
~allmean strict? Isp=quarantinegood?) - You wouldn't catch issues like multiple SPF records, SPF DNS-lookup limits, or DMARC
pct=percentages
This tool does all of that in 1-2 seconds and explains what each finding means.
Domain lookups happen server-side via Cloudflare DNS-over-HTTPS. We don't log queries. Anyone who can run dig can already see this data — it's all public DNS records.