✉ MX · SPF · DKIM · DMARC · Disposable · Graded A-F

Email Health Checker

Free email health checker. Run a comprehensive email domain health check covering MX records, SPF, DMARC, DKIM authentication, and disposable status. Get a scored grade with specific fix recommendations.

✓ MX Records✓ SPF Check✓ DMARC Check✓ DKIM Check✓ Disposable Detection✓ A-F Grade

Enter a domain or email address to run a full health check

Domain or Email Address

DKIM Selector (optional)

Live DNS lookups via Google and Cloudflare DoH resolvers. Disposable detection via multiple independent databases. Nothing is stored or logged.

What this tool checks

Free email health checker. Test domain deliverability, authentication, and sender reputation in one pass

An email domain is considered healthy when it can receive mail, has authentication records proving senders are legitimate, and is not associated with disposable or throwaway providers. These factors collectively determine how much trust mail servers and spam filters extend to messages from that domain. And therefore whether they reach the inbox or the spam folder. This tool audits all five dimensions simultaneously using live DNS-over-HTTPS lookups and returns a weighted score out of 100 with an A-F grade.

The five checks cover the complete picture. MX records confirm the domain has an active mail server capable of receiving email. Without MX records, every message sent to that domain bounces permanently. SPF (Sender Policy Framework, check yours here) defines which servers are authorised to send on the domain's behalf. DMARC (check yours here) specifies what receiving servers should do when SPF or DKIM fails. None (monitor), quarantine (spam), or reject (block). DKIM (analyze yours here) verifies email has not been altered in transit using a cryptographic signature. And the disposable domain check flags known temporary inbox providers that are unsuitable for commercial email.

Each check returns a specific score contribution, a plain-English result, and where relevant a targeted fix tip. This means the tool does not just grade your domain. It tells you exactly which DNS records to add or change to improve the score, ranked by impact. Since February 2024, Google and Yahoo require bulk senders to have valid SPF, DKIM, and a DMARC record in place. This health check confirms compliance with those requirements at a glance.

What this tool does

MX Records (20pts)

Verifies the domain has mail exchange records. Without these, no email can be delivered to the domain.

SPF Record (25pts)

Checks whether the domain has an SPF TXT record and rates the 'all' qualifier: -all (full 25pts), ~all (18pts), +all (5pts).

DMARC Record (25pts)

Checks whether a DMARC policy exists and rates enforcement: p=reject (25pts), p=quarantine (20pts), p=none (10pts).

DKIM Record (20pts)

Looks up the DKIM public key at selector._domainkey.domain. Requires entering your selector name to score.

Disposable (10pts)

Queries Kickbox API and a community domain list to detect known temporary or throwaway email providers.

Grade A (90-100)

MX present, SPF -all, DMARC p=reject or quarantine, DKIM verified, not disposable. Fully authenticated domain.

Grade B (75-89)

Strong setup with minor gaps. Typically SPF ~all or DMARC p=quarantine instead of the strictest settings.

Grade F (0-34)

Critical gaps. Missing MX records, no SPF or DMARC, or a confirmed disposable/throwaway domain.

Grade reference

A90-100Excellent

B75-89Good

C55-74Fair

D35-54Poor

F0-34Critical

Why it matters

Why running an email health check matters for deliverability and domain security

Most domain owners configure email once and never revisit it. But email infrastructure is not static. Sending services are added, DNS records are accidentally overwritten, and provider requirements change. A domain that scored Grade A two years ago may now have a broken SPF record from a DNS migration, a DMARC policy stuck at p=none from an initial setup that was never advanced, or a DKIM key that has been silently revoked. None of these failures announce themselves. Email continues to send but lands in spam or gets rejected at the most security-conscious receivers.

The health score makes the gap between configuration intent and actual DNS state immediately visible. A score of 68/100 does not mean "mostly fine". It typically means DMARC is at p=none (providing zero enforcement) and DKIM has not been verified, which together mean spoofed email from your domain faces no authentication barrier at most receiving servers. Moving from Grade C to Grade A usually requires two or three targeted DNS changes, each of which takes under five minutes once identified.

For email marketers, SaaS founders, and anyone sending transactional email, this check is the fastest way to confirm compliance with the Google and Yahoo 2024 bulk sender requirements: valid SPF, DKIM signing, and a DMARC record are all mandatory for senders delivering more than 5,000 messages per day to Gmail. The health checker surfaces all three gaps in a single run. Even for lower-volume senders, these settings are increasingly a baseline deliverability signal. Inbox providers use them to score sender reputation before evaluating content at all.

For security teams, the disposable domain check and authentication audit together identify two distinct risk vectors: inbound (disposable addresses that should not be accepted in signup flows or CRMs) and outbound (domains with weak or missing authentication that are easy to spoof in phishing campaigns). Running this check across your domain portfolio, including acquired, legacy, and parked domains, takes seconds per domain and surfaces the highest-priority security gaps.

Troubleshooting

How to improve your email health score: common issues and fixes

Most domains below Grade B have one or two specific issues that account for the majority of lost points. Here is what each common failure means and how to fix it.

No MX records, 0/20 on MX check

Why it happens: No mail exchange records exist for the domain. This means email sent to any address at this domain will bounce with a permanent delivery failure. Common for parked domains, recently registered domains not yet configured, or domains where MX records were accidentally deleted during a DNS migration.

Fix: Log into your DNS provider and add MX records pointing to your mail server. For Google Workspace, use the five Google MX records (ASPMX.L.GOOGLE.COM and the four ALT entries). For Microsoft 365, use the single Microsoft MX record provided in the admin setup wizard. For a non-sending parked domain, add a null MX record (priority 0, value '.') to signal no inbound mail is accepted.

SPF missing or scoring below 25/25

Why it happens: Either no SPF TXT record exists at the root domain, or the record uses ~all (soft fail, 18pts) rather than -all (hard fail, 25pts). A missing SPF record means any server can send email claiming to be from your domain with no authentication barrier.

Fix: Publish a TXT record at your root domain starting with v=spf1. List all authorised sending sources with include: mechanisms, then end with -all. For Google Workspace: v=spf1 include:_spf.google.com -all. For Microsoft 365: v=spf1 include:spf.protection.outlook.com -all. If your SPF record has too many include: mechanisms, use the SPF Flattening Tool to reduce lookup count before switching to -all.

DMARC missing or at p=none, 0-10/25 on DMARC check

Why it happens: Either no DMARC TXT record exists at _dmarc.yourdomain.com, or the record is set to p=none (monitoring only, 10pts). A missing DMARC record gives receiving servers no policy guidance. p=none provides zero enforcement. Spoofed email from your domain passes through with no authentication barrier.

Fix: Add a TXT record at _dmarc.yourdomain.com. Start with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com to collect aggregate reports without affecting delivery. After 2-4 weeks of reviewing reports to confirm all legitimate sending sources are passing, advance to p=quarantine, then p=reject. Use the DMARC Checker to verify the record after publishing.

DKIM check returning 0/20

Why it happens: Either no DKIM selector was entered in the selector field (the check cannot run without one), the wrong selector was entered, or no DKIM record exists at selector._domainkey.yourdomain.com.

Fix: First, find your correct selector: check the DKIM-Signature header of any email sent from the domain. The s= tag contains the selector. Common selectors: 'google' (Google Workspace), 'selector1' / 'selector2' (Microsoft 365), 'k1' (Mailchimp). If no DKIM is configured, set it up in your email provider's admin settings. Use the DKIM Analyzer for a full key analysis once the selector is confirmed.

Domain flagged as disposable, 0/10 on disposable check

Why it happens: The domain is in one or both of the disposable domain databases checked by this tool (Kickbox API and the community GitHub list). This is expected for legitimate temporary email services and is a design feature, not an error.

Fix: If you are checking a domain that is not actually a disposable provider and believe it is incorrectly flagged, the classification comes from third-party databases that Best-TempMail does not control. You can request removal from the community GitHub list (github.com/disposable/disposable-email-domains) via a pull request if your domain is incorrectly listed.

Score is Grade B but cannot reach Grade A

Why it happens: The most common Grade B ceiling is SPF using ~all (18/25) instead of -all (25/25) and/or DMARC at p=quarantine (20/25) instead of p=reject (25/25). Both are intentionally conservative settings appropriate during rollout but should be advanced once authentication is stable.

Fix: To reach Grade A: (1) change SPF from ~all to -all after confirming all sending sources are in the record and passing DMARC aggregate reports. (2) Advance DMARC from p=quarantine to p=reject after monitoring for 2-4 weeks at quarantine with no unexpected failures. (3) Confirm your DKIM selector is entered and the key is verified. With all three at maximum, the score will be 95-100 and Grade A.

Examples

Email health check examples. How different domain configurations score

Four real-world configurations showing exactly which checks pass or fail and why the score lands where it does.

user@apple.com

Major tech company. Full authentication stack. MX active, SPF -all, DMARC p=reject, DKIM published.

MX ✓SPF ✓DMARC ✓DKIM ✓

Grade A

hello@startup.io

Typical startup. Has MX and SPF with ~all, DMARC p=none (monitoring only), no DKIM selector entered.

MX ✓SPF ~DMARC ~DKIM,

Grade C

test@mailinator.com

Known disposable email provider. Has MX records but flagged as temporary inbox service.

MX ✓SPF ✓Disposable ✗

Grade F

bounce@expired-domain.com

Expired or parked domain. No MX records. Any email sent here will bounce permanently.

MX ✗SPF ✗DMARC ✗

Grade F

FAQ

Email health check questions and answers

Answers to the most common questions about email health scores, MX records, SPF, DMARC, DKIM, and disposable domain detection.

What is an email health check?

An email health check is a comprehensive audit of an email domain's DNS configuration covering five critical areas: MX records (can the domain receive email?), SPF (are sending servers authorised?), DMARC (is there an authentication enforcement policy?), DKIM (is cryptographic signing in place?), and disposable domain detection (is this a temporary throwaway address?). Each check is individually scored and the results are combined into a weighted health score out of 100 with an A-F letter grade. The goal is to give domain owners and email senders a single, actionable view of their authentication posture without needing to run five separate tools.

What does each check score?

MX records are worth 20 points. The domain must have at least one MX record to score anything here. SPF is worth 25 points: full 25 for strict -all enforcement, 18 for ~all soft fail, 5 for the insecure +all, and 10 for a record with a missing or invalid all qualifier. DMARC is worth 25 points: full 25 for p=reject, 20 for p=quarantine, and 10 for p=none (monitoring only). DKIM is worth 20 points if a valid public key is found at the selector you entered. This check scores 0 if no selector is provided. Disposable domain status is worth 10 points. Total out of 100 maps to grades: A (90-100), B (75-89), C (55-74), D (35-54), F (0-34).

What is a DKIM selector and where do I find it?

A DKIM selector is a label that identifies which DKIM key to use for signature verification. It forms part of the DNS lookup path: selector._domainkey.yourdomain.com. Common selectors include 'google' (Google Workspace), 'selector1' and 'selector2' (Microsoft 365), 'k1' (Mailchimp), 's1' (SendGrid), and 'mail' or 'default' for custom mail servers. To find your selector, view the raw headers of any email you have sent from that domain and look for the DKIM-Signature header. The s= tag contains the selector name. The selector is also listed in your email provider's DNS setup documentation.

Why is my score not 100 even though my domain has SPF and DMARC?

The most common reasons for a score below 100: SPF uses ~all instead of -all (scores 18/25 not 25/25), DMARC is set to p=none instead of p=quarantine or p=reject (scores 10/25 not 25/25), or no DKIM selector was entered so the DKIM check returns 0/20. To reach Grade A, use SPF with -all, advance DMARC to p=reject, and enter your DKIM selector so the key can be verified. Fixing all three will typically bring a domain from Grade C to Grade A.

What does SPF -all vs ~all mean?

The all mechanism at the end of an SPF record controls what happens to mail from servers not listed in the record. -all (hard fail) instructs receiving servers to reject the message. ~all (soft fail) instructs them to accept but flag it. Typically delivered to spam. +all (pass all) allows any server in the world to send as your domain and should never be used. ?all (neutral) makes no recommendation and provides no protection. For maximum deliverability protection and security, use -all once you have confirmed all your legitimate sending sources are in the SPF record.

What is DMARC p=none and why is it a problem?

DMARC p=none is the monitoring-only policy. It means that even if an email fails both SPF and DKIM authentication, it is still delivered normally. The receiving server simply logs the failure and sends a report to the rua= address if configured. p=none provides zero enforcement and zero protection against spoofing or phishing using your domain. It is the correct starting policy when first deploying DMARC (to identify all legitimate sending sources before enforcing), but it should not be left in place permanently. Advance to p=quarantine then p=reject once aggregate reports confirm all legitimate mail is passing authentication.

What should I do if the domain has no MX records?

No MX records means the domain cannot receive email. Any message sent to an address at that domain will bounce with a permanent failure (NXDOMAIN or NODATA). If you own the domain and want it to receive email, add MX records through your DNS provider pointing to your mail server or hosted email service. If you are checking a domain as part of validating an email list, addresses at domains without MX records will hard-bounce and should be removed from your list to protect your sender reputation.

What is a disposable email domain?

Disposable email providers offer temporary inboxes created on demand that expire automatically. Typically within minutes to hours. Services like Mailinator, Guerrilla Mail, and Temp Mail are well-known examples. This check queries two independent sources to detect known disposable providers: Kickbox's open disposable domain API and a community-maintained GitHub list of disposable domains. For businesses collecting email addresses for newsletters, accounts, or campaigns, accepting disposable addresses results in bounces, inflated metrics, and wasted sending costs. The check helps identify these addresses before they enter your list.

Is this tool suitable for bulk email validation?

This tool is optimised for manual spot-checking of individual domains and addresses. It performs live DNS lookups which are not suitable for bulk use. Running hundreds of simultaneous checks would exceed public DNS resolver rate limits. For validating large email lists (thousands of addresses), use a dedicated bulk email verification service that handles SMTP verification, role address detection, catch-all detection, and rate limiting at scale. This tool is ideal for checking a domain before a new email integration, verifying a contact's address before an important send, or auditing your own domain's authentication posture.

Does this tool store my queries?

No. All DNS queries run directly from your browser to Google's DNS over HTTPS (dns.google) and Cloudflare's DNS over HTTPS (cloudflare-dns.com) resolvers. The disposable domain check queries Kickbox's public open API and a GitHub-hosted domain list. No queries, domains, or results are transmitted to or stored on Best-TempMail servers. The checks are entirely client-side. Your browser makes the API calls directly.

How does the email health checker differ from a simple MX lookup?

An MX lookup only tells you whether a domain has mail server records. It confirms the domain can theoretically receive email, but says nothing about whether email sent from that domain is authenticated, whether it is protected against spoofing, or whether it belongs to a disposable provider. This health checker runs five checks in parallel: MX (deliverability), SPF (sender authorisation), DMARC (enforcement policy), DKIM (cryptographic signing), and disposable status. Together they give a complete picture of both inbound deliverability and outbound authentication strength.

What is the difference between a Grade A and Grade F domain?

A Grade A domain (90-100 points) has all five checks passing at full or near-full strength: active MX records, SPF with -all enforcement, DMARC at p=quarantine or p=reject, a verified DKIM key, and no disposable flag. Email sent from this domain is authenticated, protected against spoofing, and trusted by receiving mail servers. A Grade F domain (0-34 points) typically has no SPF or DMARC, possibly no MX records, and may be a disposable provider. Email from such a domain is easily spoofed, likely to be spam-filtered, and unsuitable for commercial sending. Most real-world business domains fall between Grade B and Grade D. The score shows precisely which checks to fix first.

Why does the DKIM check fail even though I have DKIM set up?

The most common reason is an incorrect selector. If you entered 'default' but your provider uses 'google', the lookup returns nothing and the check fails. Check the DKIM-Signature header of a real email sent from your domain to confirm the exact selector in use. Other causes: the DKIM DNS record was published at the wrong hostname (e.g. missing the selector prefix or the ._domainkey suffix), DNS propagation is still in progress after a recent change, or the key has been revoked (empty p= tag). Use the dedicated DKIM Analyzer tool for a full tag-by-tag breakdown if the selector is confirmed correct but the check still fails.

Can I use this tool to check domains I do not own?

Yes. All checks are based on publicly accessible DNS records. MX, SPF (TXT), DMARC (TXT at _dmarc.), and DKIM (TXT at selector._domainkey.) are all publicly queryable by any DNS resolver. There is no authentication requirement to look up someone else's DNS records. This makes the tool useful for checking the authentication posture of partner domains, vendor email systems, or any address you receive email from and want to evaluate for trust.

What should I do after getting my health score?

Start with the highest-value failed checks. DMARC missing or at p=none is often the most impactful fix. Publish v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com as a starting point, then advance the policy after reviewing aggregate reports. If SPF is missing, publish a record covering all your sending sources. If DKIM is unverified, enter the correct selector or check with the DKIM Analyzer to confirm your signing setup. After making DNS changes, wait 5-30 minutes for propagation and re-run this checker to confirm your score has improved.

Technical background

Understanding the five email health checks: what each one measures and why it matters

MX records are the routing layer. When any mail server anywhere in the world tries to deliver email to your domain, it queries DNS for MX records to find which server should receive the message. Without MX records, there is nowhere to route the email. It bounces immediately with a permanent error. For non-sending domains, a null MX record (priority 0, value '.') explicitly signals no inbound mail is accepted, which is cleaner than having no MX at all.

SPF (Sender Policy Framework) is the sender authorisation layer. Published as a TXT record at your root domain, it lists every IP address and mail service authorised to send email on your behalf. When a receiving server gets a message claiming to be from your domain, it checks whether the sending IP is in your SPF record. The all qualifier at the end determines the penalty for unauthorised senders: -all rejects them, ~all flags them, +all passes them (insecure). If your SPF record has too many include: chains and is approaching the 10-lookup RFC 7208 limit, the SPF Flattening Tool resolves all includes to direct IP ranges. You can also use the SPF Record Checker for a detailed mechanism-by-mechanism breakdown.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the enforcement and reporting layer. It sits on top of SPF and DKIM and adds two things neither standard provides individually: alignment (the From: header domain must match the authenticated domain) and policy (what to do when alignment fails). It also enables daily XML aggregate reports from major mailbox providers showing pass/fail rates across all your sending sources. Use the DMARC Checker for a health summary or the DMARC Analyzer for a full tag-by-tag breakdown.

DKIM (DomainKeys Identified Mail) is the signing layer. It adds a cryptographic signature to outgoing messages using a private key, while the corresponding public key is published in DNS. Receiving servers use the public key to verify the signature. Confirming the message was not altered in transit and genuinely came from an authorised source. Unlike SPF, DKIM signatures survive email forwarding, making DKIM the more reliable alignment mechanism for third-party ESPs. Use the DKIM Analyzer to inspect your key strength, check for revoked keys, and detect test mode.

Disposable domain detection identifies known temporary email services. This matters for two distinct use cases: marketers and product teams who need to filter throwaway addresses from signup forms and email lists, and security teams auditing whether an email address belongs to a verifiable organisation or a temporary inbox designed to avoid contact follow-up. The check queries two independent sources, Kickbox's open API and a community-maintained GitHub blocklist, and returns a positive flag if either source identifies the domain.

Related Email & DNS Tools

DMARC Checker DMARC Analyzer DKIM Analyzer SPF Record Checker SPF Flattening Tool MX Record Lookup DNS Lookup Tool Email Header Analyzer BIMI Record Checker All Tools

Keep your real email out of risky signups.Generate a free disposable address. Zero signup, zero trace.

Get Free Temp Mail ->