Free Email Authentication Checker

Enter any domain to check its SPF, DMARC, MTA-STS and BIMI records — and, crucially, whether those policies are actually enforced or merely published — so you know whether the domain can be spoofed. Instant, free, no signup. Then let Merlonix watch your whole portfolio so a policy never silently weakens.

What is email authentication (SPF, DMARC, DKIM, MTA-STS, BIMI)?

Email authentication is a set of DNS records that let receiving mail servers verify that a message really came from your domain and wasn't forged. SPF lists which servers may send as your domain; DMARC tells receivers what to do with mail that fails checks (and whether to enforce it); MTA-STS forces inbound mail to be delivered over TLS; TLS-RPT collects reports of TLS failures; and BIMI displays your verified brand logo in the inbox once DMARC is enforced. Together they determine whether someone can send email that appears to come from you.

My domain has a DMARC record — why does this tool still flag it?

Publishing a DMARC record is only half the job. The p= policy decides what receivers do with forged mail: p=none is monitor-only, so mail servers still deliver messages that spoof your domain — you're published but unenforced, and still spoofable. Only p=quarantine or p=reject actually protects you. Most scanners report DMARC as simply "present" and miss this distinction. This checker parses the p=, sp= (subdomain) and pct= tags from your _dmarc record and tells you whether your policy is actually enforced.

What makes an SPF record weak even when it exists?

An SPF record that ends in +all authorizes the entire internet to send as your domain, and ~all (softfail) still lets receivers deliver unauthorized mail — only -all (hardfail) tells receivers to reject it. There's also a hard RFC 7208 limit of 10 DNS lookups: go over it and receivers hit a PermError and stop evaluating SPF entirely, so a record that looks fine silently stops working. Most free checkers report SPF as simply "present" and miss both problems. This tool reads the all-mechanism qualifier and counts your lookups.

What are MTA-STS and TLS-RPT, and why do they matter?

MTA-STS (RFC 8461) lets a domain tell other mail servers "always use TLS when you deliver mail to me." Without it, a network attacker can strip encryption from inbound mail and read or alter it. But publishing the policy is only half the job: it must be in mode: enforce to actually block a downgrade — a testing policy is advisory. TLS-RPT (RFC 8460) is the companion record that collects reports when a sender hits a TLS failure. This tool checks whether your domain declares MTA-STS, whether its policy is actually enforced, and whether TLS-RPT is on — inbound mail-transport posture almost no free checker surfaces.

What is BIMI, and do I need it?

BIMI (Brand Indicators for Message Identification) is a DNS record that displays your verified brand logo next to your messages in supporting inboxes like Gmail and Apple Mail. It only works once DMARC is enforced, and to actually render the logo Gmail and Apple require a VMC (Verified Mark Certificate), referenced by the a= tag. It's optional — a brand-trust signal, not a security requirement — but almost no free checker reports whether you publish it or whether the VMC is present. This tool does.

How do I keep my email authentication from silently breaking?

A one-time check is a snapshot — adding a new mail vendor to SPF can push you over the 10-lookup limit, a migration can relax DMARC back to p=none, or an MTA-STS policy can lapse, and nobody notices until mail starts landing in spam or a spoofed message gets through. Claim the free Merlonix plan ($0, no credit card) to monitor a few domains continuously, or start a trial to watch your whole portfolio. Merlonix re-checks email-auth and DNS posture on a schedule and alerts you when a policy you relied on weakens.

Related reading