/tools/spf-dmarc checks a domain’s email authentication setup in one shot.
For each domain, in parallel:
- SPF — fetches the
v=spf1TXT record, parses the mechanisms (include:,a,mx,ip4:,exists:, …) and theallqualifier, warns if there are more than 10 lookups (RFC 7208 limit) or if you’ve left+allopen. - DMARC — fetches
_dmarc.<domain>TXT, parsesp=,sp=,pct=,rua=,ruf=. Warns when the policy isnone(monitor-only), whenpct<100partially enforces, when norua=means you’re flying blind on aggregate reports. - DKIM — brute-force probes about 30 common selector names (
default,google,selector1/2,mailgun,sendgrid,brevo,mandrill,scph0820, …) on<selector>._domainkey.<domain>. Lists every one that resolves with the detected key type. The tool will miss custom selectors — if your mailer uses something exotic, that’s currently reported as “no DKIM found”.
A 0-100 score aggregates the three: SPF presence ×30, DMARC policy ×15/30/40 depending on none/quarantine/reject, DKIM presence ×30. Score is colour-coded with the warning list right below.
Powered by hickory-resolver against Cloudflare’s recursive resolvers — all five lookups (SPF + DMARC + ~30 DKIM) fire concurrently, response usually under a second.