Free tool
Email Protection Checker
Check a domain's MX, SPF, and DMARC records in seconds and see exactly what to fix.
What this tool checks
Email runs on a trust model that was not designed to be secure. By default, any server on the internet can send a message claiming to be from your domain. Three DNS records — SPF, DKIM, and DMARC — are how you close that gap. This email protection checker performs live DNS lookups for the records that matter and explains, in plain English, what each result means.
MX — where your mail is delivered
MX (Mail Exchange) records tell the world which servers accept mail for your domain. They don't stop spoofing on their own, but they confirm your mail flow is configured and point to the provider that should be aligned with your SPF and DMARC settings.
SPF — who is allowed to send as you
An SPF record is a single TXT entry beginning with v=spf1 that lists the IP addresses and providers authorized to send email for your domain. The most important part is the ending: -all (hard fail) tells receivers to reject unlisted senders, while ~all (soft fail) only marks them suspicious and +all disables protection entirely.
DMARC — the policy that makes it enforceable
DMARC lives at _dmarc.yourdomain.com and is what turns SPF and DKIM from advisory into enforceable. A policy of p=none only monitors; p=quarantine sends failing mail to spam; p=reject blocks it outright. The rua= tag asks mailbox providers to send you aggregate reports — which you can read with our DMARC Report Analyzer.
How to read your results
Each card shows a status: Pass means the record is present and healthy, Needs work flags a weakness worth tightening, and Action needed marks a missing or broken record that leaves you exposed. The overall grade is a quick summary — aim for an A by publishing SPF with -all, DKIM signing on your mail provider, and DMARC at p=reject with reporting enabled.
Frequently asked questions
What is email protection?
Email protection is the set of DNS records — SPF, DKIM, and DMARC — that let receiving mail servers verify that a message really came from your domain. Without them, anyone can send email that appears to be from you, which is how phishing and business-email-compromise attacks succeed.
What does SPF do?
SPF (Sender Policy Framework) is a DNS TXT record that lists the servers allowed to send mail for your domain. When a server receives a message, it checks whether the sending IP is on your SPF list. End your record with -all to tell receivers to reject everything else.
What does DMARC do?
DMARC ties SPF and DKIM together and tells receivers what to do when a message fails: monitor (p=none), quarantine (p=quarantine), or reject (p=reject). It also asks receivers to send you aggregate reports so you can see who is sending mail as your domain.
Why is my domain showing no SPF or DMARC record?
It usually means the records were never published. You add them at your DNS provider as TXT records — SPF at your root domain and DMARC at _dmarc.yourdomain.com. New records can take up to a few hours to propagate before this tool sees them.
Is this email protection checker free?
Yes. This DNS lookup tool is free and runs entirely on public DNS data — there's no sign-up and nothing is stored. It's part of Confidanti's free security toolkit.
Keep going
DMARC Report Analyzer →
Turn the aggregate XML reports your domain receives into a readable summary.
Who can send email as you? →
The plain-English guide to SPF, DKIM, and DMARC and why they matter.
All free tools →
Browse Confidanti's free DNS and email-security utilities.
Get ongoing protection →
Continuous monitoring, phishing defense, and incident response in one plan.