🔐 SPF · DKIM · DMARC · MX · BIMI · Risk Score

Email Privacy Auditor

Free email privacy auditor. Run a live DNS security audit on any email domain. SPF, DKIM, DMARC, MX records, and BIMI checked in seconds with a risk score and specific fix recommendations.

✓ SPF / DKIM / DMARC✓ MX & BIMI✓ Risk score 0-10✓ Fix recommendations✓ Live DNS✓ No signup

Enter a domain or email address to audit

Live DNS lookups via Cloudflare DoH (Google DoH fallback). 14 DKIM selectors auto-tested. Nothing stored or logged.

What this tool checks

Free email privacy auditor. Check domain security, authentication strength, and spoofing exposure

Email authentication is a set of DNS-published policies that prove your domain is who it claims to be. Without them, anyone can forge email that appears to come from your address. The mechanism behind phishing, business email compromise, and brand impersonation. This auditor performs five live DNS checks to assess exactly how exposed a domain is, scoring the result on a 0-10 risk scale and providing the exact DNS record fix for every gap found.

The risk score reflects real-world spoofing exposure. A domain with no SPF record and no DMARC policy has no technical barrier preventing someone from sending convincing phishing emails to your customers or partners using your domain name. A domain with SPF -all, DMARC p=reject, and DKIM configured has the strongest available protection. Every major receiving mail server is instructed to reject unauthenticated messages claiming that domain as the sender.

Each failing or warned check includes the specific DNS record value to add or modify, the exact v=spf1 string, the _dmarc TXT value, or the DKIM key publication path, so you can act on the results immediately. The Google and Yahoo 2024 bulk sender requirements mandate valid SPF, DKIM, and a DMARC record for senders of more than 5,000 daily messages to Gmail. This audit confirms compliance with those requirements at a glance.

What this tool checks

SPF

Which mail servers are authorised to send for this domain. -all rejects unauthorised senders, ~all flags but delivers them.

DMARC

The enforcement policy for authentication failures: none (monitor), quarantine (spam), or reject (block). Also checks rua= reporting.

DKIM

Scans 14 common selectors for a DKIM public key. Cryptographic proof that outgoing mail is signed and unaltered.

MX Records

Confirms the domain has active mail exchange records and can receive inbound email.

BIMI

Optional brand logo display in Gmail, Yahoo Mail, and Apple Mail. Requires DMARC enforcement to be active first.

Risk 0-2

Well configured. Fully authenticated with strict SPF and DMARC enforcement.

Risk 3-5

Minor issues. Non-strict settings or DKIM not found on common selectors.

Risk 6-10

Critical. Missing SPF or DMARC. Domain is vulnerable to impersonation and phishing.

Risk score reference

0ExcellentFully auth.

1-2GoodWell config.

3-4MinorWarnings

5-7AttentionGaps exist

8-10CriticalVulnerable

Why it matters

Why auditing email privacy and authentication protects your domain and your recipients

Every unprotected domain is an attack surface. Phishing campaigns routinely impersonate legitimate brands using spoofed From: addresses. And the organisations whose domains are being spoofed often have no idea it is happening because they have no DMARC aggregate reports configured. From the attacker's perspective, a domain with no SPF and no DMARC is free to use: no authentication barrier, no rejection policy, and no reporting mechanism to alert the domain owner. This auditor exposes that exposure in seconds.

The most dangerous gap is a domain with DMARC p=none. This is the configuration many organisations end up with after following a "set it up safely" guide that recommends starting with monitoring mode. And then never advancing. A p=none record creates the appearance of DMARC coverage while providing zero enforcement. Spoofed phishing emails using the domain still reach inboxes. The only difference from having no DMARC is that aggregate reports are generated. But if no one is reading them, nothing changes. The risk score specifically flags this pattern because it is so common and so consequential.

For security-conscious organisations, running this audit across your full domain portfolio, including acquired, legacy, parked, and internal-use domains, takes seconds per domain and immediately surfaces the highest-priority gaps. Non-sending parked domains are particularly at risk: they typically have no authentication records at all, making them easy targets for phishing campaigns that exploit the name recognition of an established brand. Publishing SPF v=spf1 -all, DMARC p=reject, and a null MX record on every non-sending domain eliminates these as attack vectors entirely.

For organisations evaluating vendor or partner domains before granting email-based access or adding contacts to a mailing list, this audit provides instant insight into how seriously the counterparty takes email security. A useful signal alongside other due diligence criteria.

Troubleshooting

How to reduce your email privacy risk score: common issues and fixes

Most domains scoring above 3 have one or two specific issues accounting for the majority of risk points. Here is what each common problem means and how to resolve it.

SPF missing, 3 points added to risk score

Why it happens: No TXT record starting with v=spf1 exists at the root domain. This means any server anywhere can send email claiming to be from this domain with no authentication barrier. The simplest setup for a phishing campaign.

Fix: Add a TXT record at your root domain (e.g. yourdomain.com). For Google Workspace: v=spf1 include:_spf.google.com -all. For Microsoft 365: v=spf1 include:spf.protection.outlook.com -all. For a non-sending domain: v=spf1 -all. If you use multiple providers and approach the 10-lookup RFC 7208 limit, use the SPF Flattening Tool to keep the record evaluable.

SPF uses ~all (soft fail), 1 point added

Why it happens: The record uses ~all instead of -all, meaning unauthorised senders are flagged but still delivered. Under a DMARC p=reject policy this is usually sufficient because DMARC enforcement takes precedence, but soft fail SPF alone provides no protection.

Fix: Change ~all to -all in your SPF TXT record. Before doing so, confirm all legitimate sending sources are listed in the record. Check your DMARC aggregate reports for any SPF failures from legitimate senders. Once confirmed, the change from ~all to -all drops the SPF check from warn to pass and lowers the risk score by 1.

DMARC missing, 3 points added to risk score

Why it happens: No TXT record starting with v=DMARC1 exists at _dmarc.yourdomain.com. Without DMARC, SPF and DKIM have no alignment enforcement and no reporting. The visible From: header can be freely forged.

Fix: Add a TXT record at _dmarc.yourdomain.com. A safe starting value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This starts generating aggregate reports without affecting delivery. After 2-4 weeks of reviewing reports, advance to p=quarantine then p=reject. Use the DMARC Analyzer to verify the record after publishing.

DMARC at p=none or p=quarantine, 1 point added

Why it happens: The DMARC policy is set to monitoring-only (p=none) or partial enforcement (p=quarantine). Neither provides the strongest available protection. p=none in particular means spoofed emails are still delivered to recipients. Only the reports show the failure.

Fix: Advance the policy. First move to p=quarantine if not already there, monitor for 2 weeks, then advance to p=reject. Before each step, review your aggregate reports to confirm no legitimate mail is failing authentication. Use the DMARC Checker to confirm the updated record is correctly published.

DKIM not found across 14 common selectors, 1 point added

Why it happens: The auditor scans 14 of the most common DKIM selector names. If your provider uses a custom selector name not in that list, the key will not be found. But DKIM may still be active. Alternatively, DKIM may genuinely not be configured.

Fix: Check the DKIM-Signature header of a real email sent from the domain. The s= tag shows the exact selector in use. If the selector is non-standard, use the DKIM Analyzer tool with that selector to confirm the key is valid and at adequate strength. If DKIM is not configured, enable it in your email provider's admin settings.

MX records missing, 3 points added

Why it happens: No MX records found for the domain. This means no mail can be delivered to the domain. It is either a parked domain, a recently registered domain not yet configured, or a domain whose MX records were accidentally removed.

Fix: For a domain intended to receive email: add MX records via your DNS provider pointing to your mail server. For a parked or non-sending domain: add a null MX record (priority 0, value '.') to explicitly signal no inbound mail. This is cleaner than having no MX and prevents bounce ambiguity.

Examples

Email privacy audit examples. Risk scores for common domain configurations

Four configurations showing the range from fully protected to critically exposed. And why each scores where it does.

gmail.com

Google maintains full SPF -all, DMARC p=reject, DKIM, and MX. All checks pass. Risk score 0.

Score 0. Excellent

proton.me

Privacy-focused provider with strict DMARC enforcement and strong SPF policy.

Score 0-1. Excellent

example-startup.io

Typical startup: SPF with ~all (soft fail) and DMARC p=none monitoring. DKIM present but no strict enforcement.

Score 3-4. Minor Issues

abandoned-domain.net

Parked or expired domain. No MX records, no SPF, no DMARC. Anyone can spoof email from it.

Score 9. Critical

FAQ

Email privacy and security audit questions and answers

Answers to the most common questions about email domain security, the risk score, SPF vs DMARC, email spoofing, and how to fix common authentication gaps.

What is an email privacy audit?

An email privacy audit checks whether an email domain has correctly published the DNS records that authenticate its identity and protect against spoofing. The five checks, SPF, DMARC, DKIM, MX records, and BIMI, together determine how exposed a domain is to phishing, impersonation, and deliverability failures. This auditor queries live DNS resolvers via Cloudflare DoH and scores the domain's configuration on a 0-10 risk scale where 0 means fully protected and 10 means critically exposed. Each failing check includes the exact DNS record value needed to fix it.

What is SPF and why does it matter for email privacy?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. Without it, any server in the world can send email that appears to come from your domain. The primary technique used in phishing, business email compromise, and brand impersonation attacks. A strict SPF record with -all enforcement instructs receiving servers to reject unauthorised senders outright. A soft fail (~all) flags them but still delivers the message. The difference matters enormously: -all with DMARC p=reject means spoofed emails are rejected before reaching inboxes; ~all with DMARC p=none means they are still delivered.

What does DMARC p=none mean. Is it a problem?

p=none means the domain has published a DMARC record but has not enabled enforcement. Emails that fail SPF and DKIM checks are still delivered to recipients normally. Only aggregate reports are sent to the rua address if configured. p=none provides visibility but zero protection against spoofing. Moving to p=quarantine (spam folder) or p=reject (block entirely) is required for the domain to actually be protected. Many organisations get stuck at p=none indefinitely because the transition requires reviewing aggregate reports to confirm all legitimate sending sources are authenticated before enforcement can safely be applied.

Why might DKIM not be detected?

DKIM public keys are stored in DNS under a subdomain that includes a selector. For example, google._domainkey.yourdomain.com. This auditor automatically tests 14 of the most commonly used selector names. If your email provider uses a custom selector not in that list, the key will not be found here. But DKIM may still be working correctly. To confirm DKIM status definitively, view the DKIM-Signature header of any email sent from the domain (the s= tag contains the selector) and use the DKIM Analyzer tool with that exact selector.

What is the risk score and how is it calculated?

The risk score runs from 0 to 10, where 0 means the domain is fully authenticated and 10 means critical vulnerabilities exist. Each failed check (missing SPF or missing DMARC) adds 3 points to the score. Each warning (SPF with ~all instead of -all, DMARC at p=none or p=quarantine, DKIM not found on common selectors) adds 1 point. A score of 0 is Excellent. 1-2 is Well Configured. 3-4 is Minor Issues. 5-7 is Needs Attention. 8-10 is Critical. The maximum score is capped at 10 regardless of how many checks fail.

What is BIMI and do I need it?

BIMI (Brand Indicators for Message Identification) is an optional standard that displays your brand logo next to emails in Gmail, Yahoo Mail, and Apple Mail, improving recipient recognition and trust. It requires DMARC p=quarantine or p=reject to already be in place. BIMI cannot function without DMARC enforcement. Full BIMI implementation typically requires a Verified Mark Certificate (VMC) for the logo. BIMI is not a security requirement. It is a brand presence feature. The risk auditor checks for BIMI but does not penalise its absence in the risk score.

How do I fix a missing SPF record?

Log into your DNS provider and add a TXT record at your root domain (e.g. yourdomain.com, not a subdomain) with the value: v=spf1 include:_spf.yourprovider.com -all. Replacing the include: with the one specified in your email sending service's setup documentation. For Google Workspace use include:_spf.google.com, for Microsoft 365 use include:spf.protection.outlook.com. DNS changes propagate within 5-30 minutes for most modern providers. Re-run this audit after publishing to confirm detection. If your record already has too many include: mechanisms, use the SPF Flattening Tool to keep it within the 10-lookup RFC limit.

Can I run this audit on domains I don't own?

Yes. The audit only performs read-only DNS lookups, which are publicly accessible. DNS records (TXT, MX, and their subdomains) are queryable by anyone, anywhere, without authentication. This makes the tool useful for checking the security posture of any domain: your own, a vendor's domain before an email integration, a partner's domain for due diligence, or a domain you have received suspicious email from. The tool does not send any email, attempt any connection to the domain's mail servers, or perform any intrusive check.

How does this differ from the Email Health Checker?

The Email Health Checker focuses on deliverability. It grades the domain A-F on whether email can be reliably sent and received, including a disposable provider check. The Email Privacy Auditor focuses on security posture. It assigns a 0-10 risk score based on authentication strength, includes BIMI, provides specific DNS fix syntax for each issue, and detects partial DMARC enforcement (pct= below 100). For a complete picture of a domain's email configuration, running both tools is recommended: the Health Checker surfaces deliverability gaps, the Privacy Auditor surfaces security and authentication gaps.

Does this tool store the domains I check?

No. All DNS lookups are performed directly from your browser to Cloudflare's and Google's DNS over HTTPS resolvers. No domain names, results, or session data are transmitted to or stored on Best-TempMail servers. The tool runs entirely client-side. There is no backend API call, no logging, and no authentication required.

What is the difference between SPF -all and DMARC p=reject. Aren't they the same thing?

They operate at different layers and are not interchangeable. SPF -all tells receiving servers to reject messages from IP addresses not listed in your SPF record. But SPF only validates the envelope sender, the hidden MAIL FROM address, not the visible From: header displayed to recipients. An attacker can forge the From: header while keeping a passing envelope address, and SPF alone will not catch it. DMARC p=reject adds alignment: it requires the authenticated domain to match the From: header, and if it does not, the message is rejected. You need both: SPF -all to control which servers can send, and DMARC p=reject to enforce that the From: header cannot be forged.

What is email spoofing and how does a low risk score protect against it?

Email spoofing is the practice of forging the From: address in an email to make it appear to come from a trusted domain. Your company, your bank, or a government agency. Because the SMTP protocol has no native sender verification, anyone can technically send email claiming any From: address. A domain with a risk score of 0 has SPF -all, DMARC p=reject, and DKIM configured. Together these instruct every major receiving mail server to reject unauthenticated messages claiming to be from that domain. A domain with a score of 8+ has none of these protections, meaning spoofed phishing emails using that domain name face no authentication barrier at receiving servers.

How does DMARC pct= partial enforcement affect the risk score?

A DMARC record with pct=50 applies the policy to only 50% of failing messages. The other half pass through regardless of authentication status. This is a common configuration left over from a cautious phased rollout that was never completed. The auditor detects pct= values below 100 and notes them in the DMARC check result. While partial enforcement is better than p=none, it should not be left in place permanently. Once aggregate reports confirm all legitimate sending sources are passing authentication, advance pct= to 100 and move the policy to p=reject.

What should I do first if my domain scores 8 or higher?

A score of 8-10 typically means SPF and DMARC are both missing. Each missing record contributes 3 points. The highest-impact first step is publishing a DMARC record even at p=none with rua= configured: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This immediately starts generating aggregate reports that show every source sending email from your domain. Simultaneously, publish an SPF record covering your known sending sources. Once both are in place, your score will drop significantly. Review aggregate reports for 2-4 weeks, then advance DMARC to p=quarantine and SPF to -all.

Does the audit check for MTA-STS or DNSSEC?

The current version of this auditor checks SPF, DMARC, DKIM, MX records, and BIMI. MTA-STS (Mail Transfer Agent Strict Transport Security) and DNSSEC are additional email security layers that are not included in this audit. MTA-STS prevents SMTP downgrade attacks by requiring TLS on inbound connections; DNSSEC protects DNS records from tampering. Both are valuable additional hardening steps for domains that have already achieved a risk score of 0 on the five core checks.

Technical background

How the five email authentication checks work together

SPF (Sender Policy Framework, RFC 7208) is the sender authorisation layer. Published as a TXT record at your root domain, it lists every IP address and mail service authorised to send email on your behalf. When a receiving server gets a message from your domain, it checks whether the sending IP is in your SPF record. SPF validates the SMTP envelope sender, the hidden MAIL FROM address, not the visible From: header. This is why SPF alone cannot prevent From: header spoofing, and why DMARC alignment is needed on top. Use the SPF Record Checker for a mechanism-by-mechanism audit, or the SPF Flattening Tool if your include chain is approaching the 10-lookup RFC limit.

DKIM (DomainKeys Identified Mail, RFC 6376) is the signing layer. It adds a cryptographic signature to outgoing messages, tied to a domain you control in the d= tag. Receiving servers retrieve the public key from DNS at selector._domainkey.yourdomain.com and verify the signature. Confirming the message was not altered in transit. Because the DKIM signature is based on your domain rather than the sending server's IP, it survives email forwarding and is the more reliable alignment mechanism for third-party sending platforms. Use the DKIM Analyzer for full key inspection including strength estimation and revocation status.

DMARC (Domain-based Message Authentication, Reporting, and Conformance, RFC 7489) is the policy and reporting layer. It requires that at least one mechanism, SPF or DKIM, passes with alignment to the visible From: header. It then specifies what to do when neither passes: none (monitor), quarantine (spam), or reject (block). It also generates daily aggregate XML reports from major mailbox providers showing pass/fail rates across all sending sources. DMARC is the mechanism that gives SPF and DKIM real enforcement value. Without it, even perfectly configured SPF and DKIM cannot prevent From: header spoofing. Use the DMARC Checker for a policy health summary or the DMARC Analyzer for a full tag-by-tag breakdown.

MX records are the routing layer. They tell the internet which mail server accepts inbound email for your domain. Without MX records, email cannot be delivered to the domain. For non-sending domains, a null MX record (priority 0, value '.') explicitly signals no inbound mail, which is the correct configuration for parked or purely outbound-only domains.

BIMI (Brand Indicators for Message Identification) is the brand display layer. Optional but increasingly common at enterprise level. It displays your logo next to emails in Gmail, Apple Mail, and Yahoo Mail. It has no direct security function but requires DMARC enforcement to be in place (p=quarantine or p=reject with pct=100), which means a BIMI record is an indirect signal that a domain has reached a mature authentication posture.

Related Email Security Tools

Email Health Checker DMARC Checker DMARC Analyzer DKIM Analyzer SPF Record Checker SPF Flattening Tool MX Record Lookup DNS Lookup Tool Email Header Analyzer BIMI Record Checker All Tools

Keep your real email address private.Generate a free disposable address. Zero signup, zero trace.

Get Free Temp Mail ->