SPF, DKIM, DMARC Security Tool

SPF, DKIM, and DMARC

The big 3 pieces of DNS-based email authentication are: SPF, DKIM, and DMARC. Each one is a DNS TXT record. Email recipients can use these to verify that emails were authorized by the domain owner.

If these DNS records are configured correctly (or not configured at all), email recipients do not know how to verify if emails are authorized by the domain owner. Emails may not be delivered or worse an attacker could spoof emails from the domain.

About DKIM Selectors

DKIM (DomainKeys Identified Mail) uses selectors to support multiple keys for the same domain. The selector is a prefix that identifies a specific DKIM record in your DNS. When sending email, your mail server specifies which selector to use.

For example, if your selector is "mail" and your domain is "example.com", the DKIM record would be located at "mail._domainkey.example.com". Different email providers use different standard selectors - Google Workspace typically uses "google", Microsoft 365 often uses "selector1" and "selector2", and many other providers use "mail", "default", "s1", or "m1". Our tool automatically checks common selectors first, and only asks for your custom selector if we can't find a DKIM record with the standard ones.