See what spammers see when they check your domain.
Audit your DMARC, SPF, DKIM, MTA-STS, TLS-RPT and BIMI in one click. Get a plain-English report with a grade, the issues, and exactly how to fix them.
By auditing a domain you confirm you have permission to do so. We rate-limit aggressively to prevent abuse.
How it works
We query the same DNS records every receiving mail server queries when it decides whether to trust mail from your domain. Then we explain what we found.
Enter your domain
No signup. We never store your email unless you ask us to.
We probe public DNS
DMARC, SPF (with full include-tree resolution), DKIM (60+ common selectors), MTA-STS, TLS-RPT, BIMI, MX.
Read the report
Plain English findings, severity badges, and a copy-pasteable remediation for each issue.
What we check
The policy that tells receivers what to do with unauthenticated mail. We grade based on enforcement (none / quarantine / reject), reporting setup, and external destination authorization.
The list of servers allowed to send mail for your domain. We recursively walk the include chain, count DNS lookups (RFC 7208 limit is 10), and flag deprecated mechanisms like ptr.
Cryptographic signatures. We probe 60+ well-known selectors used by Google, Microsoft 365, Mailchimp, SendGrid, Postmark, AWS SES, and more.
Forces inbound mail over TLS to known-good MX hosts. We check the DNS pointer and fetch the policy file at https://mta-sts.<your-domain>.
Receivers send you reports about TLS connection failures. Lightweight but valuable.
Brand logos in inboxes (BIMI), and provider detection from your MX records (Google Workspace, M365, Zoho, self-hosted, etc.).
Questions
Is this really free?
Yes. Run as many audits as you like (within sensible per-IP rate limits). The paid product is continuous monitoring with RUA report ingestion — but the audit tool itself stays free.
Do I need to verify ownership of the domain?
No. We only read public DNS records and fetch documented well-known URLs (MTA-STS policies, BIMI logos). Anything we read is already public.
Will you spam me if I download the PDF?
You opt in to one email containing the report. We won't add you to a marketing list unless you also tick the consent checkbox. Unsubscribe is one click; we're GDPR-native (UK/EU based).
How fresh is the data?
We cache DNS lookups for 5 minutes and full audits for 10 minutes — so if you fix a record and re-run within 10 minutes, hit "Re-run" to skip the cache.
What about my own DKIM selectors?
We probe ~60 well-known selectors used by major senders. If you use a custom selector and want it tested, the paid product lets you specify selectors directly.