How to Check SPF, DKIM and DMARC DNS Records
SPF, DKIM and DMARC use DNS to publish email authentication policy. They live at different hostnames and answer different questions, so checking only the root-domain TXT records is not enough.
Check SPF at the sending domain
SPF is normally a TXT record at the domain used in the SMTP envelope-from address. A domain must not publish multiple records beginning with v=spf1.
dig example.com TXT +short
dig @1.1.1.1 example.com TXT +shortCheck DKIM using the selector
DKIM records live below selector._domainkey. The selector is supplied by the email provider or visible in the DKIM-Signature header of a message.
dig selector1._domainkey.example.com TXT +short
dig google._domainkey.example.com TXT +shortCheck DMARC at _dmarc
DMARC policy is published at _dmarc.example.com and begins with v=DMARC1. The p tag controls the requested treatment of mail that fails alignment.
dig _dmarc.example.com TXT +short
dig @8.8.8.8 _dmarc.example.com TXT +shortWhat to verify
- Exactly one SPF policy is published for the relevant domain.
- SPF include mechanisms reference active providers and stay below the ten-lookup limit.
- The DKIM selector matches the selector used by outgoing mail.
- The DKIM public key is complete and has not been split incorrectly by a DNS control panel.
- DMARC aligns with the visible From domain and uses valid reporting addresses.
Common mistakes
Looking for DKIM at the root domain
DKIM requires the provider-specific selector hostname.
Publishing two SPF records
Combine authorised senders into one v=spf1 policy.
Assuming p=none blocks spoofing
It requests monitoring, not quarantine or rejection.
Testing only local DNS
Cached TXT records can make provider verification fail in some regions.