Enter a domain to grade its email authentication (MX, SPF, DKIM, DMARC, and BIMI) from A to F, with a plain-English explanation and fix for every gap. Only the domain you enter is sent to public DNS resolvers.
We read the domain's published DNS records over public DNS-over-HTTPS resolvers and grade its ability to resist spoofing. Only headers and records are read; no mail is sent.
Email authentication drifts as senders are added and providers change. Our IT security audit validates SPF, DKIM, and DMARC across every sending source, hardens your policy to reject safely, and tests your people against real phishing.
It checks the DNS records that protect your email: MX (mail routing), SPF (authorized senders), DKIM (message signing across common selectors), DMARC (enforcement policy and reporting), and BIMI (verified brand logo). Each check is graded and explained in plain English.
Each area is weighted by the protection it provides, with DMARC and SPF weighted most heavily. The tool queries the relevant DNS records over public DNS-over-HTTPS resolvers, scores each one, and converts the total into a letter grade from A to F with specific fixes for every gap.
DKIM keys are published under a selector name that varies by provider. This tool probes the most common selectors, but your provider may use a custom one. If DKIM shows as not detected, confirm the exact selector in your provider's settings; the key still exists even if this tool did not probe that name.
Only the domain name you enter is sent to the public Cloudflare and Google DNS-over-HTTPS resolvers to read its published records. Nothing is stored on our servers.