/mail

Email Authentication Analyzer

Analyze SPF, DKIM, and DMARC records for any domain. Graded A+ to F.

Analyze SPF, DKIM, and DMARC DNS records to identify email authentication weaknesses, enforcement gaps, and deliverability risks. No email access required — passive DNS analysis only.

About Email Authentication

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are DNS-based email authentication standards. SPF specifies which mail servers are authorized to send email for a domain. DKIM adds a cryptographic signature to outgoing email that receiving servers can verify. DMARC ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails — report, quarantine, or reject. Together they prevent email spoofing and domain impersonation.

What is DMARC and why is p=none not enough?

DMARC lets domain owners publish a policy for what receiving mail servers should do when authentication fails. p=none means monitor only — no action taken, spoofed emails still reach recipients. p=quarantine sends failing mail to spam. p=reject blocks it entirely. A domain is only protected against impersonation when DMARC is at p=quarantine or p=reject with correct SPF and DKIM alignment.

Can my domain be spoofed without DMARC?

Yes. Without DMARC (or with DMARC at p=none), attackers can send email that appears to come from your domain and most mail servers will deliver it. SPF alone is insufficient because it checks the envelope sender, not the From: header users see. DKIM alone is insufficient because it can be stripped or signed with a different domain. DMARC at p=reject with correct alignment is the only configuration that reliably blocks domain spoofing.

What does DKIM alignment mean?

DKIM alignment means the domain in the DKIM d= tag must match (or be a subdomain of) the domain in the email’s From: header. Without alignment, an attacker can sign an email with their own valid DKIM key while spoofing your domain in the From header. DMARC enforces alignment — either strict (exact match) or relaxed (subdomain match). A passing DKIM signature from a non-aligned domain does not satisfy DMARC.

What does this tool analyze?

ShieldScope performs passive DNS lookups for SPF (TXT record at root domain), DMARC (TXT record at _dmarc.domain), and DKIM (TXT records at common selectors). Each record is evaluated for policy correctness: SPF for authorized senders and overly permissive mechanisms; DMARC for enforcement level, alignment mode, and reporting configuration; DKIM for key publication and validity. No email access or account is required.