How to Check SPF, DKIM, and DMARC for a Domain
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to Email Authentication Explained: SPF, DKIM, and DMARC.
The fastest way to check a domain's email authentication is to query three places: the root domain for SPF, the _dmarc subdomain for DMARC, and a selector-based name for DKIM. You can do this with a free web tool, with the dig command, or by reading the headers of an email the domain already sent. Each method answers a slightly different question, and together they tell you whether a domain is properly protected. For the wider picture of how these records fit together, see Email authentication explained.
This guide walks through all three methods in order, from easiest to most precise. If you are new to the individual records, SPF records explained and DMARC explained cover what each one does and why it matters. Below we focus purely on finding and reading them.
Method 1: Use a free online DNS tool
The simplest option needs no terminal. Paste a domain into the free DomainIntel DNS tool at the site root (/), and it returns the domain's TXT records, including SPF and DMARC presence, in seconds. This is ideal when you want a quick yes-or-no answer: does this domain publish an SPF record, and does it have a DMARC policy? The tool flags both, so you can spot a missing record without typing a single command.
What an online lookup will not do is guess your DKIM selector for you. SPF and DMARC sit at predictable locations, so a tool can always find them. DKIM does not, which is why Methods 2 and 3 matter once you need the signing details.
Method 2: Query the records with dig
If you prefer the command line, dig reads DNS directly. SPF and DMARC each have a known location, so the queries are short.
Check SPF on the root domain:
dig example.com TXT +short
Look for a line beginning with v=spf1. That string lists the servers allowed to send mail for the domain.
Check DMARC on the _dmarc subdomain:
dig _dmarc.example.com TXT +short
A result starting with v=DMARC1 shows the policy, including whether it is set to p=none, p=quarantine, or p=reject.
DKIM is the awkward one. It lives at selector._domainkey.example.com, and the selector is chosen by whoever set up signing. There is no universal name. Once you know the selector (see Method 3), query it like this:
dig selector1._domainkey.example.com TXT +short
Swap selector1 for the real selector. A v=DKIM1 record confirms the public key is published.
The SPF and DMARC formats are defined in the relevant standards, so the version tags above are not arbitrary: SPF is specified in RFC 7208 and DMARC in RFC 7489. Reading those tells you exactly which tags are valid.
Method 3: Read a received email's headers
The third method solves the DKIM selector problem and verifies real-world results at the same time. Open an email the domain actually sent, then view its full headers (in Gmail, use "Show original"; most clients have an equivalent).
Two headers do the heavy lifting. The Authentication-Results header records pass or fail for each check, usually reading something like spf=pass, dkim=pass, and dmarc=pass. If any of those say fail or none, you have found a gap. The DKIM-Signature header contains the selector in its s= tag and the signing domain in its d= tag. Copy that s= value, and you have the selector you need for the dig query in Method 2.
This approach is the only one that confirms how a real receiver actually evaluated the message, rather than just confirming a record exists.
Quick reference: where each record lives
| Record | Where to look | dig query |
|---|---|---|
| SPF | Root domain TXT record (v=spf1) |
dig example.com TXT +short |
| DMARC | _dmarc subdomain TXT record (v=DMARC1) |
dig _dmarc.example.com TXT +short |
| DKIM | selector._domainkey (selector from email header) |
dig selector._domainkey.example.com TXT +short |
| Live results | Authentication-Results header of a received email |
n/a (read the header) |
Putting it together
Start with a tool lookup for a fast read on SPF and DMARC. Drop to dig when you want the raw record text or need to confirm a specific tag. Go to the email headers whenever DKIM is involved, both to grab the selector and to see how a real inbox judged the message. Three angles, one clear picture.
Want to check a domain right now? Run a free lookup at the site root (/) and see its SPF and DMARC records in seconds.
Frequently asked questions
How do I check if a domain has SPF and DMARC?
Run a free DNS lookup tool, or query the TXT records yourself: dig example.com TXT shows the SPF record, and dig _dmarc.example.com TXT shows the DMARC policy. SPF lives on the root domain; DMARC lives on the _dmarc subdomain.
How do I find a domain's DKIM record?
You need the selector first. Open a real email sent from the domain, read the DKIM-Signature header, and note the s= value. Then run dig selector._domainkey.example.com TXT using that selector.
Why can't I find the DKIM record?
DKIM is published per selector, and selector names are arbitrary. Without the exact selector you cannot guess the record location, so there is no single fixed query that always returns it.