Is DMARC p=none sufficient?

p=none is monitoring-only mode. It is suitable initially but should be gradually strengthened to quarantine, then reject.

How to comply with Gmail sender guidelines?

All senders need SPF or DKIM. Bulk senders (5000+ emails/day) need all three: SPF, DKIM, and DMARC.

What happens with multiple SPF records?

RFC 7208 allows only one SPF record per domain. Multiple records cause PermError.

What DKIM key length is recommended?

2048 bits or more is recommended. 1024-bit keys pose future security risks.

SPF/DKIM/DMARC Lookup & Checker

DKIM Selector (optional)

ℹ️ If left blank, common selectors (google, selector1, default, etc.) will be auto-detected

Checking...

Searching SPF, DKIM & DMARC records
(DKIM auto-detection may take a moment)

Understanding Email Authentication

SPF, DKIM, and DMARC are three email authentication technologies designed to prevent email spoofing (phishing). Since February 2024, Google has enforced stricter Gmail sender guidelines, making these configurations essential for all email senders.

SPF (Sender Policy Framework)

SPF allows domain owners to declare which mail servers are authorized to send email on their behalf via DNS TXT records. Receiving servers check the sender's IP against the SPF record to detect unauthorized sources.

include: Reference another domain's SPF policy
ip4 / ip6: Allow specific IP addresses
-all: Reject all other sources (recommended)

Important: SPF DNS lookups are limited to 10. Exceeding this causes PermError and authentication failure.

DKIM (DomainKeys Identified Mail)

DKIM uses public key cryptography to digitally sign emails, proving the message hasn't been tampered with in transit. The public key is published as a DNS record under selector._domainkey.domain.

Selector: Names the specific key (e.g., google, selector1)
Key length: 2048 bits or more recommended

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by defining what happens when authentication fails.

p=none: Monitor only — good for initial deployment
p=quarantine: Send to spam folder
p=reject: Block delivery (most secure)

Gmail Sender Guidelines Compliance

Since February 2024, Google requires all senders to authenticate their email with SPF or DKIM. Bulk senders (5,000+ messages/day to Gmail) have additional requirements:

Both SPF and DKIM must be configured
DMARC record must be published (at minimum p=none)
From header domain must align with SPF or DKIM domain
Support one-click unsubscribe
Maintain spam rate below 0.3%

If all three checks show ✅ in this tool, your domain meets Gmail's authentication requirements.

FAQ

What is the SPF lookup limit?

SPF allows a maximum of 10 DNS lookups. include, a, mx, ptr, exists, and redirect each count as one lookup. Exceeding this causes PermError.

What is a DKIM selector?

A DKIM selector identifies which public key to use for verifying the email signature. Different email services use different selectors. The record is published at selector._domainkey.domain.

Is p=none sufficient for DMARC?

No. p=none only monitors without taking action. Gradually strengthen to quarantine then reject for full protection.

What DKIM key length should I use?

2048 bits or more. 1024-bit keys are vulnerable to future attacks. Google Workspace uses 2048-bit keys by default.

Is this tool safe to use?

Yes. This tool only queries publicly available DNS records. No email content or passwords are accessed, and domain names are not stored.

Network

Web Development

HTTP Header Analyzer and Checker

SEO

Status Code Checker & Redirect Settings Checker

Security

Text Analysis

SNS & Entertainment