Don't like ads? Go Ad-Free Today 

Email Deliverability Checker

DeveloperNetworkingSecurity

ADVERTISEMENT · REMOVE?

INPUT

OUTPUT

Client Side

ADVERTISEMENT · REMOVE?

Guide

Email Deliverability Checker

Audit a domain’s email authentication setup in seconds. Enter any domain and the tool runs live DNS lookups against Cloudflare’s resolver to inspect SPF, DMARC, MX, and BIMI records, then surfaces real configuration problems with a clear pass/fail verdict and an overall deliverability score.

How to Use

Type the domain you want to check (for example example.com) into the input field.
Click Check. The tool performs four DNS-over-HTTPS queries in parallel.
Review the deliverability score at the top, then read the per-record breakdown for SPF, DMARC, MX, and BIMI.
Fix any flagged issues — multiple SPF records, too many DNS lookups, p=none DMARC, missing aggregate report address, or no MX server — and re-run the check.

Features

SPF inspection – validates the v=spf1 prefix, counts DNS-lookup mechanisms against the RFC 7208 limit of 10, flags +all, ?all, and the deprecated ptr mechanism, and warns when more than one SPF record is published.
DMARC inspection – parses every tag, checks the policy strength (none, quarantine, reject), surfaces rua and ruf reporting addresses, and warns when pct is below 100.
MX records – lists every mail server with its priority, sorted ascending so you can see the primary destination at a glance.
BIMI bonus check – reads default._bimi.<domain>, validates the l= SVG logo URL, and notes whether a Verified Mark Certificate (a=) is configured.
Deliverability score – a single weighted score across SPF, DMARC, and MX so you know at a glance whether a domain is publish-ready or needs work.
Privacy-friendly – queries run from your browser directly against Cloudflare’s 1.1.1.1 DNS-over-HTTPS endpoint. No domain you check ever touches our server.

 FAQ

What is the difference between SPF, DKIM, and DMARC?

SPF is a DNS record that lists which mail servers are allowed to send mail for your domain. DKIM signs each outgoing message with a cryptographic key so the receiver can verify it was not altered in transit. DMARC ties the two together: it tells receivers what to do when a message fails SPF or DKIM alignment and where to send aggregate reports. All three need to be in place for strong deliverability.
Why does SPF have a 10-DNS-lookup limit?

RFC 7208 caps the number of DNS lookups an SPF check may perform at 10 to prevent denial-of-service amplification and to keep mail processing predictable. Mechanisms like include, a, mx, ptr, exists, and redirect each consume one lookup. Exceeding the limit causes a PermError, which most receivers treat the same as a hard SPF fail — your mail goes to spam or is rejected outright.
What does the DMARC policy p=none mean?

p=none is a monitor-only policy. Receivers will check alignment and send you aggregate reports (via the rua= address) but will not quarantine or reject mail that fails. It is useful while you collect data and fix legitimate sources, but a domain stuck on p=none offers no protection against spoofing. The goal is to graduate to p=quarantine and eventually p=reject.
Do I need an MX record if I only send mail and never receive it?

Technically no — MX records describe inbound mail handling. But many receivers treat the absence of an MX record as a soft signal of a low-reputation sender, and bounce notifications cannot be delivered back to a domain with no MX. Most operators publish at least a Null MX (RFC 7505: a single MX record of '0 .') if they explicitly do not accept inbound mail, so the intent is unambiguous.