Free tool
Sending-domain checker
SPF, DKIM and DMARC are the three DNS records mailbox providers check before trusting your email. Missing any of them is the most common reason cold email lands in spam. Check your domain in one click.
Sending cold email to UK companies? Leadistry finds verified leads and sends from your own inbox with automatic warm-up and this exact health check built in. Try 10 free leads, no card needed.
The three records, in plain English
SPFanswers "which servers may send as this domain?". It is a single TXT record listing your provider (Microsoft 365, Google Workspace, your marketing tool). Mail arriving from anywhere else fails the check. DKIManswers "did this message really come from the domain, unaltered?" via a cryptographic signature on every message that providers verify against a public key in your DNS. DMARC is the policy that ties them together: it tells the receiving provider what to do with mail that fails both, and where to send aggregate reports so you can see who is spoofing you.
Since early 2024, Gmail and Yahoo require bulk senders to pass all three. In practice, Microsoft applies similar pressure. A domain with no DMARC record is not just missing polish, it is measurably more likely to land in spam, and it is spoofable by anyone.
Common failure patterns
The failures we see most: two SPF records on one domain (itself an SPF error, providers then ignore both); an SPF record that exceeds the 10-DNS-lookup limit because of stacked include: entries; DKIM enabled in the mail provider but the CNAME records never added at the registrar; and a DMARC record of p=none left in place for years, which passes the letter of the requirement but tells providers you never graduated to an enforced policy. Each is a ten-minute fix once you can see it, which is what this checker is for.
Frequently asked questions
What is SPF?
Sender Policy Framework. A DNS TXT record listing which servers are allowed to send email for your domain. When your mail arrives from a server not on the list, providers treat it as suspicious. One record per domain; multiple SPF records are themselves an error.
What is DKIM?
DomainKeys Identified Mail. Your mail server signs every outgoing message with a private key, and the matching public key is published in DNS. The receiving provider verifies the signature to prove the message really came from your domain and was not altered in transit. Without DKIM, Gmail and Microsoft treat bulk senders with heavy suspicion.
What is DMARC?
The policy layer on top of SPF and DKIM. It tells receiving providers what to do when a message fails both checks: do nothing (p=none), quarantine it to spam (p=quarantine) or reject it outright (p=reject). Since 2024 Google and Yahoo require bulk senders to publish at least a p=none DMARC record, so having none at all directly hurts inbox placement.
All three records pass but my email still goes to spam. Why?
Authentication is the entry ticket, not the whole game. Content, sending volume, bounce rate and sender history all feed the spam decision. The most common culprits after authentication are sending too much too fast from a fresh domain (no warm-up) and a high bounce rate from an unverified list.
Do I need a separate domain for cold outreach?
Many senders use a close variant of their main domain for outreach so that any reputation damage stays off the primary domain. It works, but the variant needs its own SPF, DKIM and DMARC records plus several weeks of warm-up before real volume.
Also free: the email verifier. Deliverability guide: SPF, DKIM and DMARC for UK cold email.