DKIM
Not FoundDKIM evidence was not found in the pasted headers.
Make Sense of Your DNS
Check visible email authentication signals: MX, SPF, DKIM, DMARC, and what still needs a real sent email header.
This checker summarizes public DNS evidence. It does not inspect email headers, send email, access mailboxes, store submitted domains, or connect to any provider account.
Run a Check
Use one domain or subdomain, such as example.com. Submitted domains are used only for this lookup response. This review applies only to the exact domain or subdomain entered. Some organizations use separate subdomains for marketing or transactional sending.
The checker also tries common selectors such as selector1, selector2, google, k1, s1, default, mail, mandrill, kl, and sendgrid.
Ready to check public DNS evidence.
Paste full message headers from a received email to compare public DNS evidence with what actually happened when the message was delivered.
Headers are parsed in your browser only. They are not submitted, stored, or logged.
You can paste the full message source. The checker will read the header section before the email body.
Header analysis runs locally in this browser.
Paste full email headers to summarize authentication results from one received message.
Header analysis works without a DNS lookup.
No authentication results were found in the pasted headers.
DKIM evidence was not found in the pasted headers.
SPF evidence was not found in the pasted headers.
DMARC evidence was not found in the pasted headers.
Domain-level message details will appear here.
List-Unsubscribe evidence will appear here when present.
Analyze a received message header to summarize what the mailbox reported for this message.
This reflects one received message. It does not prove every message from this domain authenticates the same way.
The summary explains visible DNS evidence in plain language, with limits where only a real sent email header can prove behavior.
Ready
Enter a domain to review public DNS evidence for MX, SPF, DKIM, and DMARC.
The score is based only on public DNS evidence returned by the checker.
Run a lookup to review inbound mail routing evidence.
MX records show where a domain receives mail. They do not prove which service sends mail for the domain.
Run a lookup to review SPF-style TXT evidence.
SPF can authorize sending services for a domain. Multiple SPF records at the same name can cause authentication problems.
Run a lookup to review selector-specific DKIM evidence.
DKIM uses selector-specific DNS records. Finding a selector is useful, but only message headers can confirm a sent email was actually signed.
Run a lookup to review DMARC policy evidence.
DMARC tells receiving systems how to handle mail that fails alignment checks. Policy should be tightened only after legitimate sending is understood.
Mail is not asked to be quarantined or rejected by policy. Best while validating legitimate mail and reviewing DMARC reports.
Receiving systems may place failing mail in spam or quarantine. Best after most legitimate mail is authenticating correctly.
Receiving systems are asked to reject mail that fails DMARC checks. Best after all legitimate sending sources are understood and passing authentication.
Strict policy is not automatically better. It can cause delivery issues if SPF or DKIM alignment is incomplete for legitimate mail.
Provider interpretation is not included in this version.
Provider names should only appear when DNS evidence is explicit and provider-specific. Weak hints should stay out of this section.
DNS records can show authorized providers, but a real sent email header is needed to confirm which platform sent a specific message.
Send a real test email and inspect the authentication headers before treating DNS records as proof of outgoing signing.
Review aggregate reports before considering quarantine or reject.
DNS lookups can miss selector-specific DKIM records or private sending paths. The safest language is narrow and evidence-based.
Multiple SPF records at the same name can create authentication problems. A real checker should flag that as Needs Review.
Monitoring first, then stricter policy only after legitimate sending sources and alignment are understood.
Run a lookup to see a practical, evidence-based perspective on what the DNS records can and cannot confirm.
Public records, authorized sending hints, DMARC policy, inbound mail routing, and provider-specific evidence when it is explicit.
Which platform sent a specific message, whether a live message was signed, whether alignment passed, or whether inbox placement will be good. Real message headers and provider dashboards can confirm behavior this DNS review cannot.
This checker summarizes public DNS-style findings. It does not inspect email headers, send email, access mailboxes, verify inbox placement, or confirm which platform sent a specific message. This review applies only to the exact domain or subdomain entered.