Email DNS Sanity Checker
Check a domain’s MX, SPF, DMARC, DKIM selector, MTA-STS, and TLS-RPT records in plain English.
Status: Live · Processing: server-assisted DNS lookup. The browser sends the domain to a same-origin CyganLabs WordPress endpoint because browsers cannot perform normal DNS record lookups by themselves. The endpoint does DNS lookups only, rate-limits requests, uses a short cache, and does not intentionally store searched domains beyond those short-lived transients.
This is a sanity checker, not a deliverability oracle. It will spot common DNS email-authentication problems: missing DMARC, broken SPF, multiple SPF records, monitoring-only DMARC, visible DKIM selector records, and optional MTA-STS/TLS-RPT markers. It will not fix the records for you, inspect every nested SPF include, or magically understand the mail platform your vendor configured in 2017 and then abandoned like a cursed appliance.
Check email DNS records
Enter the domain used for email, such as example.com. You can paste a URL or email address and the tool will try to normalize it to the domain.
Enter a domain to check SPF, DMARC, MX, DKIM selectors, MTA-STS, and TLS-RPT.
Raw DNS records returned by this check
What this checks
- MX: which mail servers receive mail for the domain.
- SPF: which services are allowed to send mail for the domain. The checker catches missing SPF, multiple SPF records,
+all, missing/looseallmechanisms, discouragedptr, and a basic DNS-lookup count warning. - DMARC: what receivers should do when SPF/DKIM alignment fails.
p=noneis monitoring, not enforcement. - DKIM: whether a public key exists for a custom selector or a small set of common selectors. A miss does not prove DKIM is absent, because selectors vary by mail provider.
- MTA-STS and TLS-RPT: optional records that help with mail transport security and reporting. This tool checks the DNS markers, not the full HTTPS MTA-STS policy file.
Important caveats
Email DNS is not a place for heroic guessing. Strict settings can break legitimate mail if you tighten them before you know every sender. Use this as an inspection tool, then verify changes with your mail provider, logs, and DMARC reports.
Will this fix my email?
No. It tells you what to inspect. That is less magical and much more honest.
Why does DMARC matter?
DMARC gives receivers a domain-level instruction for mail that fails SPF/DKIM alignment. Without it, spoofed mail has more room to look plausible.
Should every domain use p=reject?
Eventually, many domains should aim for enforcement, but not blindly. Start with visibility, confirm legitimate senders, fix alignment, then move from none to quarantine or reject when the data supports it. Breaking real mail for the sake of a green badge is security theater with paperwork.
Do you store searched domains?
The tool does not intentionally store submitted domains as a user history. The endpoint uses normal server request handling plus short-lived WordPress transients for rate limiting and repeated-domain caching. Do not paste anything you would treat as secret; DNS names are not a secrets vault.
Related tools: Redirect Inspector, Link Cleaner, and Password Phrase Generator.