Best Free DMARC/SPF/DKIM Tools (2026): Checkers and Fix Guide to Stop Spoofing & BEC

Email spoofing is one of the fastest ways attackers pull off phishing and Business Email Compromise (BEC). If your domain doesn’t authenticate email correctly, scammers can impersonate your brand in the inbox—even if your website security is solid. The good news: you can validate and fix the core protections using free DMARC/SPF/DKIM checker tools in minutes.

This guide gives you:

The best free tools to test DMARC, SPF, DKIM (and common DNS issues)
What each tool is best at (and what it misses)
A fix checklist you can apply safely
Practical examples and common mistakes that break authentication

DMARC, SPF, and DKIM work together to help prevent unauthorized senders from spoofing your domain.

DMARC vs SPF vs DKIM (simple explanation)

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which servers are allowed to send email for your domain. If a random server tries to send “from your domain,” receiving mail servers can detect it and treat it as suspicious. Google describes SPF as a way to help prevent outgoing email from being marked as spam and to identify authorized senders.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. Receivers can verify the signature using a DKIM public key published in DNS.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receivers what to do when messages fail authentication and enables reporting. It sits “on top of” SPF and DKIM and adds enforcement and alignment.

Important concept: alignment
DMARC checks whether the domain in the visible From: address aligns with the domain validated by SPF and/or DKIM. This is why “SPF passes” alone isn’t always enough.

The best free DMARC checker tools (2026)

1) MXToolbox DMARC Lookup (free)

Best for: fast DMARC record parsing + common policy warnings
What it does: displays your DMARC record and runs diagnostics against it.
Use it when: you want a quick “is my DMARC record valid?” check.

How to use

Open the DMARC Lookup tool.
Enter your domain (example: yourdomain.com).
Review:
- p= policy (none/quarantine/reject)
- rua= reporting address
- syntax warnings/errors

What it often catches

Missing DMARC record
Bad tag formatting (extra spaces, wrong separators)
Weak policy that doesn’t block spoofing

2) Google Admin Toolbox Check MX (free)

Best for: DNS health + mail record sanity (MX/SPF/DMARC/DKIM-related checks)
It’s designed to detect common MX misconfigurations and related DNS issues.

How to use

Open “Check MX”
Enter:
- Domain name
- DKIM selector (optional, if you know it)
Review red/yellow warnings for:
- missing/incorrect MX
- conflicting DNS records
- auth record issues

Why it’s useful
Many people “fix DMARC” but forget their underlying DNS/MX setup is messy. This tool helps spot the fundamentals.

3) dmarcian DMARC Inspector (free checker)

Best for: DMARC policy visibility + human-friendly explanation of what your DMARC says
Their DMARC Record Checker lets you inspect policy and identify issues.

Use it when

You want an easier, less technical view of DMARC settings
You’re explaining the findings to a non-technical client/team

The best free SPF checker tools (2026)

1) MXToolbox SPF Record Check (free)

Best for: SPF validation + diagnostics and delivery-impact warnings
It looks up your SPF record and highlights errors that can impact email delivery.

Checks you should focus on

More than one SPF record (breaks SPF)
Invalid mechanisms
Too many DNS lookups (a common failure)

2) EasyDMARC SPF Lookup (free)

Best for: understanding SPF “lookup tree” and sources included in your SPF
It shows SPF sending sources and lookup structure.

Use it when
Your SPF includes multiple services (Google Workspace, Microsoft 365, Mailchimp, SendGrid, etc.) and you need to see what’s really happening.

The best free DKIM checker tools (2026)

1) MXToolbox DKIM Record Lookup (free)

Best for: verifying a DKIM record exists for a domain + selector
The tool tests a DKIM record for a valid published DKIM key record.

What you need

Domain: yourdomain.com
DKIM selector: commonly something like google, selector1, default, smtp, etc. (depends on provider)

2) Google Workspace DKIM setup references (free official guidance)

If your mail is on Google Workspace, you can generate keys and publish the DKIM record using Google Admin guidance.

Use this as your fast audit after running the tools:

DMARC must-have

DMARC record exists: _dmarc.yourdomain.com
Policy is not permanently p=none (use it only for monitoring during rollout)
rua= reporting mailbox works and you can receive reports
Alignment is considered (SPF and/or DKIM must align with the From domain)

SPF must-have

Only one SPF TXT record exists
SPF includes all legitimate senders (your email provider + marketing tools + ticketing tools, etc.)
Avoid broken includes and excessive lookups (a common SPF “permerror” cause)

DKIM must-have

DKIM record exists for your active sending platform
Selector matches what your platform uses
Email headers show DKIM-Signature: on outgoing mail

Fix guide: common issues and how to resolve them

Issue 1: “No DMARC record found”

What it means: you don’t have _dmarc.yourdomain.com TXT record.

Fix
Add a DMARC TXT record like this (starter monitoring mode):

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1; adkim=s; aspf=s;

Why start with p=none
It allows reporting without blocking mail while you confirm legitimate senders. DMARC supports policies like none/quarantine/reject; moving beyond p=none is key for actual protection.

Issue 2: DMARC is present but still not stopping spoofing

Cause: you’re stuck on p=none or your mail doesn’t align.

Fix strategy (safe rollout)

Run DMARC reports for 7–14 days (monitor mode).
Fix SPF/DKIM for every legitimate sender you discover.
Move to p=quarantine (start with a small percentage if your DMARC supports it).
Move to p=reject when confident.

Reality check
A lot of domains never enforce DMARC strongly, which leaves spoofing opportunities open.

Issue 3: “Multiple SPF records found” (very common)

What it means: you published more than one v=spf1 TXT record. Receivers may treat SPF as invalid.

Fix
Merge into a single SPF record that includes all sending services.

Example
Bad (two SPF records):

v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all

Good (one combined SPF record):

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Google also shows a typical SPF example pattern for Workspace.

Issue 4: SPF “permerror” due to too many DNS lookups

SPF evaluation has limits. When your SPF includes many nested include: entries (marketing tools, CRMs, helpdesks), you can exceed lookup limits.

Fix options

Remove unused services from SPF
Consolidate senders where possible
Use subdomains for specific services (e.g., mail.yourdomain.com for marketing)

Issue 5: DKIM fails because selector is wrong or not published

What it means: you’re checking the wrong selector or the platform’s DKIM key isn’t in DNS.

Fix

Confirm the selector from your email provider admin panel
Publish the TXT record exactly as provided
Wait for DNS propagation, then re-check with MXToolbox DKIM lookup.

What these free tools detect (and what they miss)

What they detect well

Missing/invalid DMARC/SPF/DKIM DNS records
Syntax errors and misconfigurations
DKIM record presence/selector issues
Basic MX and DNS hygiene problems

What they don’t fully detect

Whether all your legitimate third-party services are properly aligned (you must confirm senders)
Whether your outbound email is actually signing with DKIM (check real email headers)
Deliverability issues caused by reputation, content, or blacklists (separate checks needed)

Practical test: verify with a real email header (fast method)

After DNS checks, send a test email from your domain to a Gmail address and open “Show original” (or view headers). Look for:

SPF: PASS/FAIL
DKIM: PASS/FAIL
DMARC: PASS/FAIL

If DMARC fails while SPF or DKIM passes, alignment is likely the reason.

FAQ

Are free DMARC/SPF/DKIM checker tools accurate?

They’re accurate for DNS record presence, syntax, and basic validation, but they can’t fully confirm real-world sending behavior without you testing headers and reviewing DMARC reports.

What’s the safest DMARC policy to start with?

Start with p=none for monitoring only, then move to quarantine and eventually reject once you’ve verified legitimate senders.

Does SPF alone stop spoofing?

Not reliably. SPF can pass for a sending server, but without DMARC alignment, attackers can still exploit weaknesses. DMARC provides policy + alignment to strengthen protection.