Email Authentication Checker
Check SPF, DKIM, DMARC, MX, MTA-STS, TLS-RPT, BIMI, DNSSEC, and domain spoofing risk in one scan.
Scanning DNS records and policy files...
What this tool checks
SPF
Authorised sending sources, DNS lookup count, and whether the record ends in -all so receivers can reject unauthorised senders.
DKIM
Cryptographic signing key health for common selectors, with key type and key length evaluation.
DMARC
Policy discovery using the RFC 9989 DNS Tree Walk, with handling of t=y testing mode and the np, sp, p fallback for non-existent subdomains.
MX
Mail exchanger records and detected mail provider, since DMARC alignment depends on a clear sending stack.
MTA-STS
DNS record and the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt, with mode and MX match.
TLS-RPT
The reporting endpoint that receives transport security failure reports about MTA-STS and TLS delivery problems.
BIMI
Brand indicator record. BIMI requires DMARC enforcement first. The logo is fetched safely and never inlined.
DNSSEC
Best-effort DS record presence. A validating resolver is required to fully confirm chain of trust.
How to read the results
What spoofable means
If no enforcing DMARC policy applies to a domain, receivers have no instruction to reject mail that fails SPF or DKIM alignment. Attackers can craft messages that look like they came from the domain.
Why DMARC p=none is not protection
p=none tells receivers to monitor and report, not to block. Move to p=quarantine, then p=reject, once legitimate mail is aligned in reports.
The SPF 10 lookup limit
RFC 7208 caps DNS-querying mechanisms at 10. Beyond that, receivers return PermError and SPF effectively fails. Remove unused include terms or consolidate providers.
DKIM selectors
A selector is the label under _domainkey that identifies one of many possible DKIM keys for a domain. Each sending provider uses its own selector.
Recommended rollout order
Publish SPF and DKIM first. Add DMARC at p=none with rua reporting. Move to quarantine, then reject, with np=reject for non-existent subdomains. Add MTA-STS in testing mode, then enforce.
Why this scanner is useful for business risk review
Email authentication is both a technical control and a business trust control. A weak domain can be used in supplier fraud, invoice redirection, executive impersonation, customer phishing, helpdesk abuse, and brand damage. The scanner focuses on the records that matter most for a public-domain review: SPF, DKIM, DMARC, MX, MTA-STS, TLS-RPT, BIMI, DNSSEC, and the resulting spoofability verdict.
The result is designed for two audiences. A business owner can read the verdict, score, top risks, and next step. A security engineer can review the DNS records, selector details, lookup counts, policy inheritance, and copy-ready remediation examples. The tool does not replace a manual penetration test or email security assessment, but it helps identify public misconfigurations quickly and consistently.
For production domains, use the generated fixes carefully. Create reporting mailboxes before publishing DMARC or TLS-RPT records, verify every legitimate sender, and roll out enforcement in stages. If the domain handles customer communication, finance, authentication, or executive communication, manual validation is recommended before moving to a strict reject policy.
FAQ
Is this tool free?
Yes. It is a free tool from VAPT Experts. No signup, no email gate, no payment.
Do I need to sign up?
No. Enter a domain and view the results immediately.
Do you store my domain?
Scan results are cached in memory for a few minutes to keep the service fast. Nothing is written to a database. Shared links include the domain in the URL so the scan can be rerun.
What is SPF?
Sender Policy Framework lists which servers may send mail for a domain. Receivers use it during the SMTP envelope evaluation.
What is DKIM?
DKIM is a cryptographic signature added to outgoing mail. Receivers verify the signature against the public key published in DNS.
What is DMARC?
DMARC tells receivers how to handle mail that fails SPF or DKIM alignment. It also requests reports about authentication outcomes.
Why is p=none not enough?
p=none is monitoring. It does not instruct receivers to reject. Spoofed mail can still reach recipients.
What is the SPF 10 lookup limit?
RFC 7208 caps the number of DNS-querying SPF mechanisms at 10 per evaluation. Exceeding the cap causes PermError, and SPF fails.
What is a DKIM selector?
A label under _domainkey.<domain> identifying one of possibly many DKIM public keys for the domain.
Can this tool prove email spoofing?
No. It analyses public records. A manual penetration test confirms inbox behavior end to end.