Email deliverability check.
Paste any domain and see SPF, DMARC, DKIM, and MX records in one place. Pass, warn, or fail per record with the specific reason and how to fix. Runs in your browser via DNS-over-HTTPS, nothing is logged.
via Google DNS-over-HTTPS
· try one of these
What this checks
Four DNS-based email authentication signals, in parallel. Each has its own pass / warn / fail badge with a plain- English finding underneath. Below the badges, you see the raw record values so you can sanity-check or copy them.
SPF checker
Reads the TXT records on your apex domain, finds the one starting with v=spf1, parses out the mechanisms, counts DNS lookups (the spec caps this at 10), and grades the default policy. Permissive (+all, ?all) gets a fail. Strict (-all) gets a pass. Soft (~all) gets a warning to tighten once you're confident.
DMARC checker
Reads the TXT record at _dmarc.yourdomain.com. Reports policy (none / quarantine / reject), subdomain policy if different, coverage percentage, and aggregate-report destination. p=none gets a warning (monitoring only, no enforcement). p=reject gets a pass.
DKIM checker
DKIM uses domain-specific selectors that aren't DNS-discoverable, so the checker probes 25 common ones in parallel (google, selector1, selector2, mail, k1, s1, s2, dkim, mandrill, mailgun, sendgrid, mailchimp, etc.). If none resolve, that doesn't prove DKIM is missing, just that your selector isn't in the common set. Check your email provider's setup docs for the specific selector to verify.
MX records
Lists the mail servers your domain hands inbound mail to, in priority order. Useful for confirming your provider switch worked, or that an outbound-only domain isn't accidentally accepting bounces.
Why this matters in 2026
Gmail and Yahoo's February 2024 sender requirements made SPF, DKIM, and DMARC mandatory for bulk senders (5,000+ messages a day to Gmail). Microsoft 365 followed with similar enforcement. Apple Mail Privacy Protection made open rates unreliable, so deliverability is now measured by inbox placement, which depends almost entirely on authentication.
For a domain that sends transactional mail (password resets, receipts), missing or misconfigured authentication is a customer-experience bug, the mail just doesn't arrive. For marketing senders, it's a deliverability tax: every percentage point of inbox placement lost shows up in your engagement numbers.
How the lookup works
The checker calls Google's public dns.google/resolve endpoint over HTTPS, directly from your browser. There is no Briskly server in the loop, no logging, no domain tracking. The only thing persisted is your last-checked domain, in your browser's localStorage, so it repopulates on the next visit.
FAQ
What is SPF and why does email need it?
SPF (Sender Policy Framework) is a TXT DNS record that lists which mail servers are authorised to send mail for your domain. Without it, anyone can spoof mail from your domain and recipients have no way to detect it. Modern mail receivers (Gmail, Microsoft, Yahoo) treat missing or permissive SPF as a strong spam signal.
What's the difference between SPF, DKIM, and DMARC?
SPF says 'these IPs can send mail as us'. DKIM cryptographically signs each message so the receiver can verify it wasn't altered in transit. DMARC ties them together: it tells receivers what to do (none / quarantine / reject) when a message fails both SPF and DKIM, and where to send aggregate reports so you can see who's spoofing you. You need all three for modern deliverability; SPF and DKIM alone leave gaps.
Why is my SPF record failing the lookup limit?
SPF has a hard limit of 10 DNS lookups per evaluation (RFC 7208). Each include:, a:, mx:, exists:, redirect= mechanism counts as a lookup. Many SaaS providers (SendGrid, Mailgun, Salesforce, etc.) push you past this limit when you stack multiple. Fixes: consolidate via subdomain delegation, flatten includes via a service like EasyDMARC's flattening, or remove unused senders.
What DKIM selector do I use?
DKIM selectors are domain-specific and depend on your email provider. Google Workspace uses 'google'. Microsoft 365 uses 'selector1' and 'selector2'. SendGrid uses random per-domain selectors like 's1' and 's2'. There's no DNS-discoverable list, so you have to look in your provider's DKIM setup docs. The checker above tests 25 common selectors in parallel and shows which (if any) resolve.
What DMARC policy should I start with?
Start with p=none and rua=mailto:reports@yourdomain.com. This collects aggregate reports without affecting delivery, so you can see who's sending as you. After 2-4 weeks of reports, when all your legitimate senders are aligned, move to p=quarantine. After another 2-4 weeks of clean reports, move to p=reject. Skipping straight to p=reject without monitoring first is how legitimate mail gets blocked.
How do I fix a missing DMARC record?
Add a TXT record at _dmarc.yourdomain.com with value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. That's the minimum viable DMARC. The p=none means monitoring only, the rua= sends weekly aggregate reports. Most DNS providers (Cloudflare, Route53, Namecheap) have a TXT record editor in their dashboard.
What does the lookup limit failure look like to a receiver?
When SPF exceeds 10 DNS lookups, receivers return a 'PermError' result. Per RFC 7208, this is treated like the SPF record doesn't exist, all SPF protection is lost. From the sender's side, you'd see your DMARC reports start showing SPF failures across the board even though your records look fine. The fix is reducing lookup count.
Does the checker work on subdomains?
Yes. Enter mail.yourdomain.com or any subdomain. SPF and DKIM are looked up at that exact name. DMARC is looked up at _dmarc.<your-input>. If the subdomain has no DMARC, the parent domain's DMARC applies via DMARC's organisational-domain rule, but the checker won't auto-traverse, paste the parent domain to verify.
Building or debugging email infrastructure? See also email signature generator for a quick paste-ready Gmail / Outlook signature.