What does MailCheck test?

MailCheck runs 13 checks: SPF record and include chain, DKIM, DMARC, MX records, DNS blacklists (24+ RBLs), SMTP TLS and open relay, MTA-STS, TLS-RPT, DANE/TLSA, BIMI, IP reputation, and WHOIS — a complete picture of your domain's email security in one scan.

Yes. All 13 checks are free with no account or signup required. Enter any domain and run a full scan instantly.

What is SPF and why does it matter?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email for your domain. Without a valid SPF record, spammers can forge your domain in the From address, and your legitimate emails may be rejected or marked as spam.

What is DMARC and how does it protect my domain?

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when email fails SPF or DKIM alignment — monitor (p=none), quarantine, or reject. A DMARC policy of p=reject is the strongest protection against email spoofing and domain impersonation.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. Receiving servers verify the signature using a public key published in your DNS, confirming the message has not been altered in transit and that it genuinely comes from your domain.

How do I check if my domain is on an email blacklist?

Enter your domain in the MailCheck search bar and run the Blacklists (RBL) check. MailCheck tests your domain and sending IPs against 24+ DNS blacklists including Spamhaus, Barracuda, and SURBL, and shows any active listings with removal links.

Why is my email going to spam?

Common causes include a missing or misconfigured SPF record, no DKIM signature, a weak DMARC policy (p=none), a sending IP or domain listed on a DNS blacklist, or a mail server without STARTTLS. Run a full MailCheck scan to identify which checks are failing.

What is a good DMARC policy?

p=reject is the strongest DMARC setting — it instructs receiving servers to reject any email that fails SPF or DKIM alignment. Start with p=none to monitor traffic, move to p=quarantine, then p=reject once you are confident all legitimate senders pass authentication.

MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use validated TLS when delivering email to your domain. Without it, a network attacker can downgrade or strip TLS on inbound mail. It requires a DNS TXT record at _mta-sts and a policy file served over HTTPS.

How do I check my SPF record?

Enter your domain in MailCheck and run the SPF check. It retrieves your SPF TXT record, parses every include: directive recursively, counts DNS lookups against the 10-lookup limit, and flags any misconfigurations or missing records.

What is SPF alignment?

SPF alignment means the domain in the Return-Path (envelope From) matches the domain in the visible From header. DMARC requires either SPF or DKIM alignment to pass. Misalignment is a common cause of DMARC failures even when SPF itself passes.

How often should I check my email security?

Run a check any time you change your mail provider, add a sending service, or notice deliverability problems. For active domains a monthly scan is a good baseline — blacklist listings can appear without warning and cause immediate delivery failures.

MailCheck

SPF · DKIM · DMARC · Blacklists · SMTP · WHOIS · and more

Custom DKIM Selector:

DNS Checks5 of 5

Connectivity2 of 2

Reputation3 of 3

Advanced0 of 3

—

—/100

Health Score

DNS Checks

MX Records—

SPF—

SPF Include Chain—

DMARC—

DKIM—

Connectivity

SMTP Connection Tests—

Open Relay & Catch-All—

Reputation

Blacklists (RBL)—

Domain Info (WHOIS)—

IP Reputation—

AdvancedOptional

BIMI—

MTA-STS & TLS-RPT—

DANE / TLSA—

Free email security check — 13 checks in one scan

MailCheck analyses your domain's full email security posture in seconds. Enter any domain to check SPF, DKIM, DMARC, MX records, DNS blacklists, SMTP connectivity, MTA-STS, TLS-RPT, DANE, BIMI, IP reputation, and WHOIS — no account or signup required.

What each check covers

SPF Record Check

Retrieves and parses your Sender Policy Framework record, recursively expands every include: directive, and counts DNS lookups against the hard 10-lookup limit. A permerror here causes legitimate email to be rejected.

DKIM Check

Looks up the DKIM public key for your selector, validates the record syntax, and confirms the key length meets current security recommendations. Supports custom selectors for Google Workspace, Microsoft 365, and others.

DMARC Policy Check

Parses your DMARC record and flags weak configurations — p=none gives zero protection, missing rua means you receive no failure reports. Includes a record generator to help you move to p=reject.

MX Records

Looks up and validates your domain's MX records, checks priorities, and verifies the mail servers are reachable. Missing or broken MX records mean no one can send you email.

Email Blacklist Check (24+ RBLs)

Tests your domain and sending IPs against 24+ DNS-based blacklists including Spamhaus ZEN, Barracuda, SURBL, and SpamCop. A single blacklist listing can cause widespread delivery failures at major providers.

SMTP TLS & Open Relay

Opens live TCP connections to your mail server on ports 25, 587, and 465 to verify STARTTLS is advertised. Also tests for open relay and catch-all configurations that expose your infrastructure to abuse.

MTA-STS & TLS-RPT

Checks for a published MTA-STS policy that enforces TLS on inbound mail, and a TLS-RPT record that enables failure reporting. These two standards close the security gap DMARC leaves on the inbound side.

DANE / TLSA

Queries TLSA records for each MX host to detect DANE deployment — the strongest available mechanism for authenticating mail server TLS certificates via DNSSEC, independent of public CAs.

BIMI Check

Retrieves your Brand Indicators for Message Identification (BIMI) record, validates the SVG logo URL, and checks for a VMC certificate — the prerequisites for displaying your brand logo in Gmail and Apple Mail.

IP Reputation & WHOIS

Resolves each MX host to its IP address, then looks up organisation, ASN, ISP, city, and hosting/proxy flags. Also checks domain registration age, registrar, expiry, and DNSSEC status — factors spam filters weigh heavily.

Why email authentication matters

Without SPF, DKIM, and DMARC correctly configured, anyone can send email that appears to come from your domain — impersonating your business to phish customers, partners, and staff. A DMARC policy of p=reject stops domain spoofing entirely. MailCheck shows you exactly where your configuration stands and what needs fixing, with inline record generators to help you deploy the right DNS records.

Frequently asked questions

Is MailCheck free?: Yes — all 13 checks are free with no account required. Enter any domain and run a full scan instantly.
How do I check if my domain is on an email blacklist?: Enter your domain in the search bar above and click Run Checks. The Blacklists (RBL) check tests 24+ DNS blacklists and shows any active listings with direct removal links.
Why is my email going to spam?: The most common causes are a missing or failing SPF record, no DKIM signature, a weak DMARC policy, a sending IP on a blacklist, or a mail server without STARTTLS. A full MailCheck scan identifies which checks are failing and what to fix.
What is the difference between SPF, DKIM, and DMARC?: SPF specifies which servers may send email for your domain. DKIM cryptographically signs each message so recipients can verify it was not altered. DMARC ties them together and tells receivers what to do when either check fails — and sends you reports. All three are required for strong email authentication.
What is a good DMARC policy?: p=reject is the strongest setting — receiving servers discard any message that fails SPF or DKIM alignment. Start with p=none to collect reports without affecting delivery, move to p=quarantine, then p=reject once all legitimate senders are covered.
What is MTA-STS and do I need it?: MTA-STS forces other mail servers to use validated TLS when delivering email to your domain, preventing downgrade attacks on inbound mail. It requires a DNS TXT record and a policy file served over HTTPS. It's recommended for any domain that cares about inbound mail security.
How often should I check my email security?: Run a check any time you change mail providers, add a sending service, or see deliverability problems. For active domains, a monthly scan is a good baseline — blacklist listings can appear without warning and cause immediate widespread failures.

Header Analyser

Trace delivery path · Check authentication · Detect anomalies

BIMI SVG Converter

Convert any SVG or raster PNG/JPG to BIMI-compliant SVG 1.2 Tiny P/S

Upload Logo

Drop your logo here

SVG, PNG, JPG · Max 5 MB

BIMI Requirements

SVG 1.2 Tiny P/S profile

Square viewBox (1:1 ratio)

No scripts or animations

No external references

width/height set to 100%

<title> element present

Converted SVG—

Bulk MailCheck

Check up to 20 domains at once · Results emailed when done

Domain List (.txt)

Drop your .txt file here

or click to browse · one domain per line · max 20

Email Report To

Domains are checked in the background with a short pause between each to avoid overloading DNS. Your summary report will arrive when all checks are complete.

~— min estimated

1 submission per IP per 24 h

DKIM uses auto-discovery (no per-domain selectors)