UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ToolsConfiguratorGet in Touch

Email security checker

Scan SPF, DMARC, DKIM, MTA-STS, DNSSEC and MX for any domain in one go. Get a graded score and a prioritised list of fixes — in plain English, with the exact records to publish.

SPFDKIMDMARC

Checks SPF, DMARC, DKIM, MTA-STS, DNSSEC and MX live. Nothing is stored. Try .

DMARC CheckerSPF CheckerDKIM CheckerDNS PropagationAll email & DNS tools

One scan, every email control

Most online checkers make you test SPF, DKIM and DMARC one at a time and leave you to interpret the results. This tool runs all six controls that decide whether your email is trusted — and whether someone can impersonate you — then scores them together and tells you what to fix first. Enter a domain above to see it in action.

Sender?SPFsending IP?DKIMsignatureDMARCalignmentInboxauthenticatedSpam / Quarantinep=quarantineRejectedp=rejectA message passes when SPF or DKIM aligns with the From domain; DMARC then applies your published policy.

A message is trusted when SPF or DKIM aligns with the From domain; DMARC then enforces your policy.

How the score is calculated

The grade is a weighted average. DMARC carries the most weight because it is the control that actually instructs receivers and stops exact-domain spoofing, followed by SPF and DKIM as its inputs, then MTA-STS and DNSSEC as hardening layers. A domain with SPF and DKIM but no enforced DMARC will score in the middle — the report makes the missing piece obvious rather than burying it.

The gaps we see most often

The three recurring problems are: DMARC stuck at p=none (monitoring but never enforced, so spoofing still works); no DKIM on one of the sending services a business actually uses; and SPF exceeding ten DNS lookups, which silently breaks SPF with a PermError. Each has a clear fix, and the dedicated DMARC, SPF and DKIM tools walk you through them and generate the records.

Why this is now business-critical

Google and Yahoo began rejecting or junking bulk mail from unauthenticated domains in February 2024, and Microsoft’s Outlook.com brought in similar rules for high-volume senders in 2025. If your invoices, quotes or marketing aren’t authenticated, they increasingly don’t arrive. Beyond deliverability, an enforced DMARC policy is one of the cheapest, highest-impact defences against the brand-impersonation and invoice-fraud attacks that target UK businesses every day.

🛡️ Prefer it handled? Servnet rolls out SPF, DKIM and DMARC the safe way — monitor, review reports, then enforce — and watches the reports for you. See managed cyber security →

Email security check — common questions

What does the email security checker test?

In one scan it checks the six controls that protect a domain’s mail: SPF (which servers may send for you), DKIM (a cryptographic signature, probed across the common provider selectors), DMARC (the policy that ties SPF and DKIM together), MTA-STS (enforced TLS for inbound mail), DNSSEC (signed DNS answers) and your MX records. Each is graded and the gaps are listed in priority order.

What counts as a good score?

A grade of A means SPF, DKIM and DMARC are all present and DMARC is enforced at quarantine or reject, ideally with MTA-STS and DNSSEC too. Many domains score C or D because they have SPF but DMARC is missing or stuck at p=none — which monitors but does not protect. The report shows you exactly which control is dragging the score down.

Why is DMARC weighted most heavily?

SPF and DKIM are inputs; DMARC is the control that actually tells receiving servers what to do when those checks fail, and it’s the record that stops criminals spoofing your exact domain. A domain can “pass” SPF and DKIM yet still be spoofable without an enforced DMARC policy, so DMARC carries the most weight in the score.

It says no DKIM was found — is that wrong?

Not necessarily. DKIM selectors are chosen by your mail platform, and we probe the most common ones (Google, Microsoft 365, Mailchimp, etc.). If your provider uses a custom selector, the all-in-one scan may miss it — use the dedicated DKIM checker and enter your selector to confirm.

Does a missing DMARC record mean I’m being spoofed?

It means you have no protection against it and no visibility. Without DMARC, anyone can send email with your domain in the From address and receivers have no instruction to reject it — and you get no reports showing it’s happening. Publishing DMARC (starting at p=none) is how you find out.

Do you store the domains I scan?

No. The scan runs live against public DNS on our server and returns the result; we don’t log or store the domains you check. It’s safe to scan your own domains or a prospect’s.

How often should I re-check?

Re-scan whenever you add a new sending service (a CRM, marketing platform or invoicing tool), change mail providers, or after publishing a record change. Ongoing DMARC reporting — which Servnet can manage for you — catches problems between manual checks.