Email Records Check
Consolidated MX, SPF, DMARC, and DKIM-selector lookup for an email domain.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What records does this tool check?
It checks four email authentication records: MX — which servers receive mail; SPF — which servers are authorised to send (TXT record); DMARC — policy for handling authentication failures; and DKIM — public keys for verifying message signatures, looked up by selector.
What is SPF and how does it prevent spam?
SPF (Sender Policy Framework) is a DNS TXT record listing servers authorised to send email for your domain: v=spf1 include:_spf.google.com ~all. Receiving servers check if the sending IP is in this list. SPF alone isn't enough — combine it with DKIM and DMARC for full email authentication.
What is DKIM and why does the selector matter?
DKIM signs outbound messages with a private key; receivers look up the public key in DNS at selector._domainkey.example.com. The selector is chosen by your sending service — Google Workspace uses google, SendGrid uses s1/s2. You must enter the correct selector to verify DKIM; your email provider's documentation lists it.
What does DMARC 'alignment' mean?
DMARC passes when the domain in the email's From header aligns with either the SPF-authenticated domain (envelope sender) or the DKIM-signed domain. Relaxed alignment (the default) allows subdomains; strict requires an exact match. If neither SPF nor DKIM aligns with the From domain, DMARC fails even if both pass independently.
My SPF has 'too many DNS lookups' — how do I fix it?
SPF limits DNS lookups to 10. Each include:, a, mx, or redirect mechanism counts toward this limit. Exceeding it causes permerror, which many receivers treat as a hard fail. Flatten your SPF by replacing nested include: chains with explicit IP ranges using ip4: / ip6: mechanisms.