Free · no signup

Email DNS Checker

MX, SPF, DKIM, DMARC — plus MTA-STS, TLS-RPT and BIMI — for any domain. Observational, calm, and explained in plain English.

Try: google.comgithub.comstripe.comfastmail.comprotonmail.com
Reads from public DNS Nothing stored, nothing tracked
Live example · checked just now

Email DNS for google.com — Google

See full report →

MX, SPF, DMARC are all set. Mail appears to be handled by Google. No DKIM keys turned up at the common selectors we checked.

MX

Present
  • 10smtp.google.com

google.com has one MX record, pointing at smtp.google.com (priority 10). That hostname pattern matches Google. With only one MX, mail delivery has no failover — if that host is unreachable, incoming mail bounces or sits in queues.

SPF

Present 
v=spf1 include:_spf.google.com ~all

google.com publishes an SPF record ending in ~all, which is a soft-fail policy — mail from senders outside the listed mechanisms is allowed through but marked as suspicious. It consumes 1 of the 10 DNS lookups allowed by RFC 7208 §4.6.4 (SPF treats include:, redirect=, a, mx, ptr, and exists: as lookups that count against the limit).

What we check

  • MX records Which mail servers accept mail for this domain — and whether there's any failover.
  • SPF Who is allowed to send on this domain's behalf, the qualifier (~all, -all, ?all), and how many of the 10 SPF DNS lookups are used.
  • DKIM Whether common selectors (Google Workspace, Microsoft 365, Fastmail, SES, SendGrid, etc.) publish a public key.
  • DMARC The policy on authentication failures (none, quarantine, reject) and whether aggregate reports are being collected.
  • MTA-STS Whether the domain enforces TLS for inbound mail via the HTTPS-published policy file.
  • TLS-RPT Whether the domain accepts reports about TLS delivery failures for inbound mail.
  • BIMI Whether a brand-indicator logo is published for compatible mail clients.

Common questions

What is an MX record?

An MX record (Mail Exchange) tells other mail servers where to deliver mail addressed to your domain. It points at a hostname (e.g. aspmx.l.google.com for Google Workspace) and a priority — lower numbers are preferred. Domains with multiple MX records get failover.

What does SPF `~all` mean vs `-all`?

`~all` is "soft fail" — mail from a sender not listed in the SPF record is allowed through but marked as suspicious by receivers. `-all` is "hard fail" — mail from a sender not listed should be rejected outright. `~all` is the safer default while you're still tracking down legitimate senders; `-all` is the stricter end state once you're confident the SPF record is complete.

How do I find my DKIM selector?

DKIM keys are published under a selector you choose (any short string) at <selector>._domainkey.<your-domain>. Most providers use known names: Google Workspace uses `google`, Microsoft 365 uses `selector1` and `selector2`, Fastmail rotates `fm1`/`fm2`/`fm3`, AWS SES uses `amazonses`. This checker tries the common ones; if yours doesn't show up, ask your provider for the selector and look up the TXT record directly.

What does DMARC `p=reject` do?

`p=reject` tells receivers to reject mail that fails DMARC alignment — that is, mail claiming to be from your domain but neither SPF nor DKIM authenticated. It's the strictest enforcement level. `p=quarantine` sends failing mail to spam instead. `p=none` is monitoring only — the domain owner gets reports but receivers take no action.