// Tool 03

DNS VALIDATOR

Validate your SPF, DKIM, and DMARC records. Misconfigured DNS authentication is the leading cause of deliverability failures — find out in seconds.

Common selectors: default, google, k1, s1. Leave blank to use "default".

Validation Error

Common causes:

  • Invalid domain name format
  • DNS server not responding
  • Network connectivity issues
  • Rate limit exceeded (wait 60 seconds)
  • Incorrect DKIM selector name

DNS Authentication Records

// About This Tool

SPF, DKIM & DMARC EXPLAINED

Email authentication records are DNS TXT records that prove to receiving mail servers that your emails are legitimate. Without them, your domain is trivially easy to spoof.

In 2024, Google and Yahoo mandated that bulk senders must have valid SPF, DKIM, and DMARC records — or face deliverability consequences. Proper DNS authentication is no longer optional.

A typo in your SPF record, a missing DKIM selector, or a DMARC policy of "none" are invisible problems that silently cost you inbox placement every day.

The Three Authentication Records

  • //
    SPF (Sender Policy Framework)
    A DNS TXT record at your root domain that lists the IP addresses and services authorized to send email on your behalf.
    v=spf1 include:sendgrid.net ~all
  • //
    DKIM (DomainKeys Identified Mail)
    A public/private key pair that cryptographically signs each outgoing email. The public key lives in DNS under a "selector" subdomain.
    default._domainkey.yourdomain.com
  • //
    DMARC (Domain-based Message Authentication)
    Tells receivers what to do when SPF or DKIM fails: p=none (do nothing), p=quarantine (spam folder), or p=reject (block entirely).
    v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
  • //
    MX Records
    Mail Exchanger records specify which servers receive email for your domain. Missing MX records cause inbound delivery failures.
    10 mail.yourdomain.com

Frequently Asked Questions — SPF, DKIM & DMARC

What happens if I don't have an SPF record?
Receiving mail servers have no way to verify your sending IP is authorized. Many servers apply a higher spam suspicion score, and others — particularly corporate mail servers — reject unauthenticated email outright. Gmail and Yahoo now actively flag missing SPF for bulk senders.
What's the difference between ~all and -all in SPF?
~all (softfail) means emails from unauthorized IPs are accepted but marked suspicious. -all (hardfail) means they are rejected. Start with ~all while auditing your sending sources, then move to -all once your SPF record is confirmed complete.
My DMARC is set to p=none — is that a problem?
Partially. p=none means no action is taken on emails that fail DMARC — they are delivered as normal. This provides no protection against spoofing. Move to p=quarantine or p=reject once you have audited your sending sources. Google and Yahoo consider p=none insufficient for bulk senders.
I use Mailgun / SendGrid / Postmark — do I still need to configure these records?
Yes. All email sending services require you to add DNS records to enable proper authentication. Mailgun, SendGrid, and Postmark each provide specific SPF includes and DKIM selectors — they do not configure your DNS for you. Check your service's domain verification docs, add the records, then use this validator to confirm.
How long does it take for DNS changes to take effect?
DNS propagation typically takes 15 minutes to 48 hours. Cloudflare propagates globally in 5–15 minutes. After making changes, wait at least 30 minutes before running the validator to see accurate results.
// The Full Deliverability Stack
Valid DNS authentication records are necessary but not sufficient. Clean content (Spam Score Checker) and a clean sending reputation (Blacklist Checker) are equally important. All three layers must pass for consistent inbox delivery.

// Also Check

🚩 Spam Score Checker
Analyze your email content for spam triggers
🔍 Blacklist Checker
Check your domain or IP against 28+ blacklists