What does this tool check?

Five email-security records: MX (where mail goes), SPF (who is allowed to send as you), DMARC (what to do on auth failure), DKIM (cryptographic signature), and BIMI (logo display in inbox). The result includes a grade A to F and prioritized recommendations.

I left the DKIM selector blank. How does the tool find one?

We probe a short list of common DKIM selectors (`default`, `google`, `selector1`, `k1`, etc.) and stop at the first match. If your domain uses a custom selector that is not in the list, DKIM will be reported as 'UNKNOWN/MISSING' even when a record exists. To check a specific selector, fill it in (find it in the `s=` parameter of a DKIM-Signature header on any email sent from the domain).

My score is low / I got an F. What do I fix first?

DMARC missing is the biggest penalty (-40). Start with `v=DMARC1; p=none; rua=mailto:you@example.com` at `_dmarc. ` and watch the rua reports for a couple of weeks before tightening to `p=quarantine`. SPF missing is the next priority (-25). DMARC `p=none` itself is a light penalty (-10) because no enforcement happens, but it is the right starting policy while you tune SPF and DKIM.

What's BIMI and do I need it?

BIMI lets a verified, trademarked logo appear next to your messages in supporting clients (Gmail, Apple Mail, Yahoo). Requires DMARC at `p=quarantine` or `p=reject` to be honored. Nice-to-have for brands sending bulk mail, ignore it for personal domains. We surface the presence of a BIMI record but do not penalize for missing one.

My domain shows 'No-Email' or 'Parked'. What does that mean?

We classify domains by their MX records. 'No-Email' = explicit Null MX (`0 .`) or no MX at all, the domain cannot receive mail. 'Parked' = MX points at typical parking services. 'Forwarding' = MX points at email-forwarding providers (ImprovMX, Forward Email, Cloudflare Email Routing). 'Provider-managed' = MX is on a known provider (Google, Microsoft, Zoho, etc.). The classification changes which recommendations apply.

Free, no signup, rate-limited per IP. Each audit fires many DNS queries (MX, SPF with recursive includes, DMARC, around 20 DKIM selector probes, BIMI), so the rate limit protects shared infrastructure.

DNS

Mail Security

Complete email security audit

Input

Comprehensive audit of SPF, DMARC, DKIM, and BIMI protocols. Get a letter grade (A-F) and actionable advice to improve deliverability.

Terminal

Console ready. Execute a command to see output...

About Mail Security

Don't land in Spam

Modern email security relies on a trifecta of protocols to prove you are who you say you are. This tool checks them all to ensure your emails actually hit the Inbox.

Why it matters

Without these records, your emails look like phishing attempts.

Spoofing: Anyone can send an email saying it's from "[email protected]". SPF/DKIM prevent this.
Brand Reputation: If spammers abuse your domain, your legitimate emails will get blocked by Gmail and Outlook.
Deliverability: Properly authenticated emails have a much higher chance of bypassing the Spam folder.

The Protocols

SPF: "Who is allowed to send?" (List of IPs/Servers).
DKIM: "Was this tampered with?" (Digital Signature).
DMARC: "What to do if check fails?" (Policy: Reject/Quarantine).
BIMI: "Show my logo" (Brand Indicators for authenticated email).

How to use Mail Security

Enter the domain
example.com. The audit runs whether or not you fill the selector field.
(Optional) Fill in the DKIM selector
Look for the s= parameter in the DKIM-Signature header of any email this domain sends. If you do not know it, leave it blank, the tool will probe common selectors.
Hit Run Security Audit
The tool probes MX, SPF (with recursive include count), DMARC, DKIM, and BIMI in parallel.
Read the grade and recommendations
Each item has a one-line fix action. DMARC and SPF are the highest-impact fields, address them before chasing DKIM or BIMI.
Drill into individual records
For just MX use MX Lookup. For SPF / DMARC text use TXT Lookup (SPF on the apex, DMARC on _dmarc.<domain>, DKIM on <selector>._domainkey.<domain>). For nameserver checks use NS Lookup.

Frequently Asked Questions

: Five email-security records: MX (where mail goes), SPF (who is allowed to send as you), DMARC (what to do on auth failure), DKIM (cryptographic signature), and BIMI (logo display in inbox). The result includes a grade A to F and prioritized recommendations.