Skip to main content
VAPT Experts Email Authentication Scanner
Free email security posture scan

Email Authentication Checker

Check SPF, DKIM, DMARC, MX, MTA-STS, TLS-RPT, BIMI, DNSSEC, and domain spoofing risk in one scan.

No signup No database storage No email sent Public DNS only
Run full domain scan SPF + DKIM + DMARC + mail transport
Try
SPF DKIM DMARC MX MTA-STS TLS-RPT BIMI DNSSEC

Shared links include the domain in the URL so the scan can be rerun. Avoid shared links for sensitive internal domains.

Scanning DNS records and policy files...

What this tool checks

SPF

Authorised sending sources, DNS lookup count, and whether the record ends in -all so receivers can reject unauthorised senders.

DKIM

Cryptographic signing key health for common selectors, with key type and key length evaluation.

DMARC

Policy discovery using the RFC 9989 DNS Tree Walk, with handling of t=y testing mode and the np, sp, p fallback for non-existent subdomains.

MX

Mail exchanger records and detected mail provider, since DMARC alignment depends on a clear sending stack.

MTA-STS

DNS record and the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt, with mode and MX match.

TLS-RPT

The reporting endpoint that receives transport security failure reports about MTA-STS and TLS delivery problems.

BIMI

Brand indicator record. BIMI requires DMARC enforcement first. The logo is fetched safely and never inlined.

DNSSEC

Best-effort DS record presence. A validating resolver is required to fully confirm chain of trust.

How to read the results

What spoofable means

If no enforcing DMARC policy applies to a domain, receivers have no instruction to reject mail that fails SPF or DKIM alignment. Attackers can craft messages that look like they came from the domain.

Why DMARC p=none is not protection

p=none tells receivers to monitor and report, not to block. Move to p=quarantine, then p=reject, once legitimate mail is aligned in reports.

The SPF 10 lookup limit

RFC 7208 caps DNS-querying mechanisms at 10. Beyond that, receivers return PermError and SPF effectively fails. Remove unused include terms or consolidate providers.

DKIM selectors

A selector is the label under _domainkey that identifies one of many possible DKIM keys for a domain. Each sending provider uses its own selector.

Recommended rollout order

Publish SPF and DKIM first. Add DMARC at p=none with rua reporting. Move to quarantine, then reject, with np=reject for non-existent subdomains. Add MTA-STS in testing mode, then enforce.

Why this scanner is useful for business risk review

Email authentication is both a technical control and a business trust control. A weak domain can be used in supplier fraud, invoice redirection, executive impersonation, customer phishing, helpdesk abuse, and brand damage. The scanner focuses on the records that matter most for a public-domain review: SPF, DKIM, DMARC, MX, MTA-STS, TLS-RPT, BIMI, DNSSEC, and the resulting spoofability verdict.

The result is designed for two audiences. A business owner can read the verdict, score, top risks, and next step. A security engineer can review the DNS records, selector details, lookup counts, policy inheritance, and copy-ready remediation examples. The tool does not replace a manual penetration test or email security assessment, but it helps identify public misconfigurations quickly and consistently.

For production domains, use the generated fixes carefully. Create reporting mailboxes before publishing DMARC or TLS-RPT records, verify every legitimate sender, and roll out enforcement in stages. If the domain handles customer communication, finance, authentication, or executive communication, manual validation is recommended before moving to a strict reject policy.

FAQ

Is this tool free?

Yes. It is a free tool from VAPT Experts. No signup, no email gate, no payment.

Do I need to sign up?

No. Enter a domain and view the results immediately.

Do you store my domain?

Scan results are cached in memory for a few minutes to keep the service fast. Nothing is written to a database. Shared links include the domain in the URL so the scan can be rerun.

What is SPF?

Sender Policy Framework lists which servers may send mail for a domain. Receivers use it during the SMTP envelope evaluation.

What is DKIM?

DKIM is a cryptographic signature added to outgoing mail. Receivers verify the signature against the public key published in DNS.

What is DMARC?

DMARC tells receivers how to handle mail that fails SPF or DKIM alignment. It also requests reports about authentication outcomes.

Why is p=none not enough?

p=none is monitoring. It does not instruct receivers to reject. Spoofed mail can still reach recipients.

What is the SPF 10 lookup limit?

RFC 7208 caps the number of DNS-querying SPF mechanisms at 10 per evaluation. Exceeding the cap causes PermError, and SPF fails.

What is a DKIM selector?

A label under _domainkey.<domain> identifying one of possibly many DKIM public keys for the domain.

Can this tool prove email spoofing?

No. It analyses public records. A manual penetration test confirms inbox behavior end to end.