DNS Audit
Automated checks for SPF, DKIM, DMARC, MX, BIMI, and reverse DNS — with pass/fail results and specific fix recommendations.
Email authentication lives in DNS, and providers check it on every message you send. The DNS audit inspects the six records that matter, tells you exactly what it found, and gives you a specific fix for anything broken.
What gets checked
| Check | What it verifies |
|---|---|
| SPF | Your domain publishes a valid SPF record authorizing your sending servers |
| DKIM | Signing keys are published under common selectors so recipients can verify your signatures |
| DMARC | A policy record exists telling providers what to do with mail that fails SPF/DKIM |
| MX | Your domain has valid mail exchanger records and can receive mail |
| BIMI | A brand indicator record exists (optional, but signals a mature setup) |
| Reverse DNS (PTR) | Your sending IP resolves back to a hostname |
Reading the results
Each check returns one of four statuses, along with the actual value found in DNS and a specific recommendation:
| Status | Meaning |
|---|---|
| Pass | The record exists and is configured correctly |
| Warning | The record exists but has a weakness — for example, a permissive DMARC policy or an overly broad SPF include |
| Fail | The record exists but is broken — a syntax error, a lookup limit exceeded, a conflicting duplicate |
| Missing | No record found at all |
The overall score weights all checks equally, and it feeds the DNS health component of your reputation score at 20%.
SPF, DKIM, and DMARC are the ones providers enforce. Treat a fail or missing on any of those three as urgent. BIMI is a nice-to-have; a missing BIMI record won't hurt your placement.
Applying the fixes
Every failing or missing check comes with a fix recommendation — typically the exact record to add or the change to make. The workflow:
- Copy the recommended record from the audit result.
- Add or edit it in your DNS provider's control panel (wherever your domain's nameservers are managed).
- Wait for propagation. Most changes are visible within minutes, but TTLs can delay it up to a few hours.
- Re-run the audit to confirm the check passes. Don't assume — DNS is easy to typo, and a stray quote or duplicate record will keep a check failing.
Never publish two SPF records on the same domain. Multiple SPF records cause a permanent SPF failure at every receiver. If you need to authorize a new sender, merge it into your existing record instead.
The free public checker
The same audit is available as a free public tool at /tools/spf-dkim-dmarc-checker — no login required. It's rate-limited and results aren't stored, which makes it handy for quickly checking a client's domain or verifying a fix from any machine. Inside the app, audits are tied to your mailboxes and tracked over time, so problems show up in your reputation history instead of disappearing when you close the tab.
Run a DNS audit before you start warming a new mailbox. Warmup builds reputation on top of your authentication setup — fixing SPF or DKIM after two weeks of warming means some of that effort was spent sending partially unauthenticated mail.