Skip to content

TridentScan — Free Website Security Scanner & Attack Surface Intelligence

← All Tools

Free Email Authentication Checker

Verify SPF, DKIM, DMARC, and BIMI records for any domain. Protect your domain from email spoofing and phishing attacks.

What Is Email Authentication?

Email authentication is a set of DNS-based protocols that verify whether an email actually came from the domain it claims to be from. Without these records, anyone can send emails pretending to be your domain — enabling phishing attacks, business email compromise, and brand damage.

The Three Pillars

SPF (Sender Policy Framework)

A DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Receiving servers check if the sending IP is in your SPF record. Without SPF, any server can impersonate your domain.

DKIM (DomainKeys Identified Mail)

Adds a cryptographic signature to outgoing emails. The receiving server verifies the signature against a public key in your DNS. This proves the email wasn't altered in transit and came from an authorized sender.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

Ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails: monitor (none), quarantine, or reject. DMARC also provides reporting so you can see who's sending email as your domain.

What About BIMI?

BIMI (Brand Indicators for Message Identification) displays your brand's logo next to emails in supported clients like Gmail and Apple Mail. It requires a valid DMARC policy with enforcement (quarantine or reject). BIMI improves email trust and brand recognition.

Why This Matters

According to the FBI, business email compromise caused over $2.7 billion in losses in 2023 alone. Properly configured email authentication dramatically reduces the risk of your domain being used in phishing campaigns. It also improves email deliverability — major providers like Google and Yahoo now require SPF, DKIM, and DMARC for bulk senders.

Common Issues

Missing SPF — Without an SPF record, any server can send email as your domain without failing authentication.

DMARC set to "none" — A DMARC policy of p=none only monitors; it doesn't actually block spoofed emails. Move to quarantine or reject for real protection.

Too many SPF lookups — SPF is limited to 10 DNS lookups. Complex configurations with many includes can exceed this, causing SPF to fail entirely.

No DMARC reporting — Without rua/ruf URIs, you never see who's spoofing your domain. Always add reporting addresses.