Enter your domain once and we check SPF, DKIM, DMARC, BIMI, and the SURBL domain blacklist together, then score your setup from 0 to 100. It runs free in your browser over DNS-over-HTTPS, auto-detects your DKIM selector, and stores nothing.
This is a single scan across the five DNS signals mailbox providers weigh before they trust your mail. It reads your SPF record, finds your DKIM key by probing the common provider selectors, reads your DMARC policy, checks for a BIMI logo record, and looks your domain up on the SURBL domain blacklist. Each result is graded and rolled into one score, with the authentication records (SPF, DKIM, DMARC) carrying the most weight because they decide whether Gmail, Yahoo, and Microsoft accept your mail under their 2024 and 2025 bulk sender rules. Every lookup is read-only and runs entirely in your browser, so nothing is written to your DNS and nothing is stored on our side. Use it as a fast first pass, then open any single check for the full detail.
The score is weighted across the checks we can conclusively assess. SPF, DKIM, and DMARC carry the most weight because they determine whether receivers trust your mail. A passing check scores full marks, a warning scores half, and a failure scores zero. Checks we cannot assess, such as an optional BIMI record you have not published or a DKIM key under a custom selector we cannot guess, are marked informational and left out of the score rather than counted against you.
These three authentication records are the core. SPF lists who may send for your domain, DKIM signs your messages, and DMARC tells receivers what to do when the first two fail alignment. Gmail, Yahoo, and Microsoft now require them for bulk senders, so a gap here is the first thing to fix.
DKIM is published per selector, not per domain, so we probe a list of common provider selectors (google, selector1, k1, s1, and more). If your domain uses a custom selector we cannot guess, the result reads 'not detected', which is inconclusive rather than a confirmed failure, so it is left out of the score. Open the DKIM checker to enter your exact selector.
BIMI is the optional brand logo record that supporting inboxes show next to your mail. It only works once DMARC is at enforcement, so it is best treated as a finishing touch after the core records pass. If you have not published a BIMI record, it is marked optional and left out of the score.
We check whether your domain appears on SURBL, a list that email filters use to score the links inside a message. A listing can hurt delivery for every message that mentions your domain, even from a clean sending IP.
A record exists but the policy only monitors, so spoofed mail is never blocked and your score is capped. Use the aggregate reports from your rua= address to confirm your legitimate senders pass, then move to p=quarantine and eventually p=reject.
If you sign with a custom or provider-specific selector (Amazon SES tokens and HubSpot hashes cannot be guessed), the scan will not find it. This is not proof DKIM is missing. Read the s= value from a real DKIM-Signature header and check it directly in the DKIM checker.
An SPF record that ends in +all authorizes everyone, and one with no all mechanism is incomplete. Both weaken or disable SPF. End the record with -all for a hard fail, or ~all while you confirm every legitimate source.
Clean SPF, DKIM, and DMARC will not save you if your domain is listed on SURBL, usually from spam links or a compromised site. Find and fix the cause, then file the SURBL removal form once the abuse has stopped.
