Free Domain DNS Checker

Inspect MX, SPF, DKIM, and DMARC records for any domain. Enter a domain below and get instant results -- no account required.

Check DNS Records for Any Domain

Free to use. No sign-up needed. We query DNS records in real time for any domain.

What We Check

Every lookup queries live DNS records for the domain you specify

MX Records

Mail Exchange records tell other mail servers where to deliver email for your domain. Without valid MX records, your domain cannot receive any email at all. We display each mail server along with its priority value so you can confirm the routing order is correct.

SPF Records

Sender Policy Framework records list the mail servers authorized to send email on behalf of your domain. A properly configured SPF record helps prevent spammers from forging your domain in the From address and improves inbox placement rates.

DKIM Records

DomainKeys Identified Mail adds a cryptographic signature to outgoing messages. The receiving server uses your public DKIM key published in DNS to verify that the message was not altered in transit and that it genuinely originated from your domain.

DMARC Records

Domain-based Message Authentication, Reporting and Conformance ties SPF and DKIM together with an enforcement policy. DMARC tells receiving servers what to do when a message fails authentication -- reject it, quarantine it, or take no action.

Understanding DNS Records for Email Deliverability

DNS records are the foundation of email routing and authentication on the internet. Every time someone sends an email, the sending server queries DNS to determine where to deliver the message and the receiving server queries DNS to verify that the sender is authorized. When these records are misconfigured or missing entirely, email delivery fails, messages land in spam folders, and your domain becomes vulnerable to spoofing attacks. This free domain DNS checker lets you inspect all of the critical email-related DNS records for any domain in seconds.

For businesses that depend on email for communication, sales outreach, transactional notifications, or marketing campaigns, correctly configured DNS records are not optional. They directly affect whether your messages reach the inbox or disappear into the void. Understanding what each record type does and how they work together is essential for anyone managing a domain or responsible for email deliverability.

MX Records: The Mail Routing Foundation

MX (Mail Exchange) records are the most fundamental DNS records for email. They tell the outside world which mail servers are responsible for accepting email on behalf of your domain. When someone sends an email to user@yourdomain.com, their mail server performs a DNS lookup for the MX records of yourdomain.com. The response contains one or more mail server hostnames along with priority values. The sending server attempts delivery to the highest-priority server first and falls back to lower-priority servers if the primary is unavailable.

A domain without MX records cannot receive email at all. If your MX records point to a server that is offline or misconfigured, inbound email will bounce. It is important to verify that your MX records resolve to active mail servers and that the priority values reflect the correct failover order. If you use a hosted email service like Google Workspace or Microsoft 365, they provide specific MX records that must be added to your domain's DNS configuration. Our tool lets you confirm these records are set up correctly. For comprehensive email health analysis, try our free email verification tool which checks individual addresses against live mail servers.

SPF Records: Authorizing Your Senders

SPF (Sender Policy Framework) is a DNS-based authentication mechanism that specifies which mail servers are allowed to send email on behalf of your domain. It is published as a TXT record in your domain's DNS. When a receiving server gets an email claiming to come from your domain, it checks your SPF record to see if the sending server's IP address is on the authorized list. If it is not, the message may be marked as spam or rejected outright.

An SPF record typically starts with "v=spf1" followed by a series of mechanisms that define authorized sources. These can include specific IP addresses, IP ranges, references to other domains (using the "include" mechanism for services like Google or Mailchimp), and a final qualifier that specifies how to treat unauthorized senders. The most common qualifiers are "-all" (hard fail, reject unauthorized senders), "~all" (soft fail, accept but mark), and "?all" (neutral, take no action). A strict "-all" policy provides the strongest protection against spoofing.

Getting SPF right is critical because many email providers weigh SPF results heavily in their spam filtering decisions. If you send email from multiple sources -- your own mail server, a marketing platform, a transactional email service, and a CRM -- all of those sources must be included in your SPF record. Missing even one authorized sender can cause legitimate mail to fail SPF checks. However, SPF has a limit of 10 DNS lookups, so including too many sources can also cause failures. Review our documentation for guidance on optimizing your DNS configuration.

DKIM Records: Cryptographic Message Signing

DKIM (DomainKeys Identified Mail) adds a layer of cryptographic authentication to your outgoing email. When your mail server sends a message, it attaches a digital signature in the email header using a private key that only you possess. The corresponding public key is published in your domain's DNS as a TXT record under a specific selector subdomain. The receiving server retrieves this public key and uses it to verify that the signature is valid, confirming that the message content has not been tampered with and that the message genuinely originated from your domain.

DKIM is particularly valuable because it survives email forwarding, which SPF does not. When a message is forwarded, the sending IP changes and SPF may fail, but the DKIM signature embedded in the message itself remains intact. This makes DKIM an important complement to SPF rather than a replacement. Most email service providers generate DKIM keys for you and provide the DNS records you need to publish. You can use this tool to verify that your DKIM public key is properly published and accessible.

DMARC Records: Tying It All Together

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that sits on top of SPF and DKIM. It tells receiving mail servers what to do when a message claiming to come from your domain fails both SPF and DKIM authentication. DMARC is published as a TXT record at _dmarc.yourdomain.com and contains a policy directive along with optional reporting addresses.

The three DMARC policy levels are: "none" which monitors without taking action and is suitable for initial deployment, "quarantine" which sends failing messages to the spam folder, and "reject" which instructs receiving servers to refuse the message entirely. A "reject" policy provides the strongest protection against phishing and spoofing but should only be implemented after you have confirmed that all legitimate email sources pass SPF and DKIM. Many organizations start with "none" to collect reporting data, then gradually move to "quarantine" and finally "reject" as they gain confidence in their configuration.

DMARC also supports aggregate and forensic reporting, which means receiving servers can send you reports about emails that pass or fail authentication checks. These reports are invaluable for identifying unauthorized senders using your domain and for troubleshooting configuration issues. If you are managing multiple domains, automated monitoring becomes essential. Check our pricing plans for domain monitoring options that track your DNS health continuously.

Why All Four Records Matter Together

No single DNS record provides complete email security on its own. MX records handle routing, SPF authorizes senders by IP address, DKIM verifies message integrity through cryptographic signatures, and DMARC enforces policy when authentication fails. Together, they create a layered defense that protects your domain from abuse while maximizing the chances that your legitimate email reaches the inbox.

Major email providers including Gmail, Yahoo, and Microsoft now require DMARC, SPF, and DKIM for bulk senders. As of 2024, Google and Yahoo enforce strict authentication requirements for anyone sending more than 5,000 messages per day to their users. Domains that lack proper authentication records will see their messages rejected or filtered to spam. This makes DNS record verification a routine part of email operations, not an occasional audit. Whether you are checking a single domain or managing hundreds, our tool provides the visibility you need to stay on top of your configuration. For individual email address verification, use our email verification tool alongside this DNS checker for complete coverage.

Common DNS Misconfigurations

  • Missing SPF record: Without an SPF record, any server can send email pretending to be your domain. This is the most common gap in email authentication.
  • SPF too permissive: Using "+all" or "?all" instead of "-all" or "~all" effectively disables SPF protection because it allows any server to pass the check.
  • Exceeding SPF lookup limit: SPF allows a maximum of 10 DNS lookups. If your record includes too many external services, lookups beyond the limit cause a permanent error (permerror), and SPF fails entirely.
  • DKIM selector not published: If your mail server signs messages with DKIM but the public key is not published in DNS, receiving servers cannot verify the signature and the check fails.
  • DMARC set to none indefinitely: A "p=none" policy provides no protection against spoofing. It is meant for monitoring during initial setup, not as a permanent configuration.
  • MX records pointing to decommissioned servers: After migrating email providers, old MX records left in DNS will cause delivery failures for inbound mail.

Running regular DNS checks catches these issues before they affect your email delivery. For teams managing email infrastructure at scale, our blog covers best practices for DNS management, authentication setup, and deliverability optimization.

Monitor Your Domains Automatically

Create a free account to set up ongoing DNS monitoring for your domains. Get alerts when records change, configurations break, or authentication fails. No credit card required.

Sign Up Free View Pricing

Domain DNS Checker FAQ

Common questions about DNS records and email authentication

At a minimum, your domain needs MX records to receive email. MX records tell other mail servers where to deliver messages addressed to your domain. For proper email authentication and to maximize deliverability, you should also configure SPF, DKIM, and DMARC records. SPF authorizes which servers can send on your behalf, DKIM provides cryptographic verification, and DMARC sets the enforcement policy. Major providers like Gmail and Yahoo now require all three for bulk senders. Use this tool to check whether your records are properly configured, and visit our documentation for setup guidance.

The recommended approach is to start with a "none" policy while you monitor authentication results using DMARC aggregate reports. Once you confirm that all legitimate email sources pass SPF and DKIM, move to "quarantine" to send failing messages to spam. After further monitoring confirms no legitimate mail is being affected, upgrade to "reject" for maximum protection against spoofing and phishing. The entire process typically takes two to four weeks per stage. Never jump straight to "reject" without monitoring first, as misconfigured legitimate sources will have their email blocked.

The most common cause of unexpected SPF failures is exceeding the 10-DNS-lookup limit. Each "include" mechanism, "a" mechanism, "mx" mechanism, and "redirect" modifier in your SPF record triggers a DNS lookup. If your record includes multiple external services (Google Workspace, Mailchimp, Salesforce, etc.), the lookup count can exceed the limit. When this happens, the SPF check returns a permanent error and the entire record is treated as if it does not exist. You can resolve this by consolidating include statements, using IP addresses directly where possible, or using an SPF flattening service. Another common issue is having multiple SPF records -- a domain must have exactly one SPF TXT record.

The DKIM selector is a label that identifies which DKIM key to use, since a domain can have multiple DKIM keys for different services. To find your selector, open the raw headers of an email sent from your domain and look for the "DKIM-Signature" header. The "s=" tag in that header contains the selector value. Common selectors include "google" or "20230601" for Google Workspace, "selector1" and "selector2" for Microsoft 365, and "k1" for Mailchimp. Once you know the selector, enter it along with your domain in this tool to verify the DKIM public key is correctly published in DNS.

You should check your DNS records any time you make changes to your email infrastructure -- switching providers, adding a new sending service, or updating your DMARC policy. Beyond that, a monthly manual check is a reasonable baseline for most organizations. For domains that send high volumes of email or are frequently targeted by spoofing, automated daily monitoring is strongly recommended. DNS changes can propagate in unexpected ways, and a misconfiguration can go unnoticed for days before delivery problems become apparent. Create a free account to set up automated monitoring and receive alerts when your records change.