WeLeadLab Get Free Website
April 9, 2026Updated April 10, 20268 min readby Vladimir Kamenev

Free SPF, DKIM & DMARC Checker — Stop Your Emails Going to Spam

One-line answer

WeLead Lab's free SPF DKIM DMARC checker runs 13 email authentication checks on your domain in seconds — verifying SPF, DKIM, DMARC, BIMI, MTA-STS, TLSRPT, reverse DNS, and Google/Yahoo bulk sender compliance — so your emails land in the inbox instead of the spam folder.

Why this matters right now

If your emails are going to spam, you are almost certainly failing one of three DNS records: SPF, DKIM, or DMARC. And since February 2024, Google and Yahoo require all three for any sender pushing more than 5,000 emails per day to their users. Fail the checks and your delivery rate drops off a cliff — inbox placement moves to spam, and in many cases messages get rejected at the SMTP level before they ever touch the recipient's mailbox.

The numbers are ugly. Roughly 80% of small businesses fail at least one of these email authentication checks. Most don't know until a customer says "I never got your quote" or an onboarding email quietly disappears into a junk folder. By then you have already lost the deal.

That is why a free SPF DKIM DMARC checker is the single fastest way to diagnose your email deliverability problem. You don't need to read RFC documents or pay for an enterprise deliverability suite. You need a URL, thirty seconds, and a report that tells you what to fix.

What each protocol actually does

Email authentication is layered. Each protocol solves a different problem, and you need all of them working together to pass modern inbox provider checks.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists the servers allowed to send email on behalf of your domain. When Gmail receives a message claiming to come from [email protected], it looks up your SPF record and asks: "Is this sending IP on the approved list?" If not, the message gets flagged as potential spoofing.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. Your sending server signs the message with a private key, and the receiver verifies it using a public key published in your DNS. If anything was altered in transit — headers, body, attachments — the signature breaks and the email is rejected or flagged. DKIM proves two things: the message came from your domain, and it hasn't been tampered with.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is the policy layer that sits on top of SPF and DKIM. It tells inbox providers what to do when SPF or DKIM fail: p=none (monitor only), p=quarantine (send to spam), or p=reject (bounce). DMARC also enables aggregate reporting so you can see who is sending mail as your domain — a crucial tool for catching spoofing attempts.

BIMI (Brand Indicators for Message Identification)

BIMI is the reason some emails show a logo next to the sender name in Gmail. To qualify, you need DMARC at p=quarantine or p=reject, a trademark-verified logo, and a Verified Mark Certificate (VMC). It is a visible trust signal that also lifts open rates.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS forces incoming email servers to use TLS encryption when delivering mail to your domain. Without it, attackers can downgrade connections to plaintext. With it, Gmail and Microsoft 365 will refuse to deliver unencrypted mail to you.

What our free checker verifies (13 checks)

Our free SPF DKIM DMARC checker runs thirteen individual tests against your domain's DNS and mail infrastructure. Here is everything it looks at.

  • SPF record exists — is there a v=spf1 TXT record at all?
  • SPF not too permissive — does it end in +all? That is effectively no SPF at all and allows anyone to spoof your domain.
  • SPF DNS lookup limit — SPF has a hard 10-lookup limit. Too many include: statements break the record silently.
  • DMARC record exists — is there a _dmarc TXT record?
  • DMARC policy not "none"p=none is monitoring only and does not protect deliverability. You need p=quarantine or p=reject.
  • DMARC reporting configured — are rua and ruf addresses set so you receive aggregate and forensic reports?
  • DKIM selector found — we probe 20 common selectors (google, selector1, s1, k1, mandrill, resend, etc.) to detect whether your provider has published a DKIM key.
  • MX records present — can your domain actually receive email?
  • BIMI record — is a brand logo published for Gmail display?
  • MTA-STS policy — is inbound TLS enforcement in place?
  • TLSRPT record — does your domain report TLS delivery failures?
  • Reverse DNS (PTR) match — does your sending IP resolve back to a hostname that matches your domain? Broken PTR is a top cause of Gmail spam placement.
  • Google and Yahoo bulk sender compliance — a combined scorecard telling you whether you meet the February 2024 requirements.

    • No signup, no credit card, no dashboard to configure. Paste your domain and get the report.

    How to use the free SPF DKIM DMARC checker

    It takes three steps.

  • Go to weleadlab.com/website-analyzer/ and enter your domain (e.g. yourbrand.com).
  • Wait about 15 seconds while we query your DNS, probe DKIM selectors, test MTA-STS, and check Google/Yahoo compliance.
  • Read the report. Each of the 13 checks is marked pass, warning, or fail, with a plain-English fix next to any problem.

    • That is it. Share the report URL with your developer or email provider and they will know exactly what to change.

    Common problems and how to fix them

    After running the free SPF DKIM DMARC checker on thousands of domains, we see the same four issues over and over.

    Problem: No SPF record at all

    Fix: Add a TXT record at your domain's root. If you use Google Workspace:

    `` v=spf1 include:_spf.google.com ~all `

    Replace the include: with your actual provider (include:mailgun.org, include:spf.resend.com, include:_spf.salesforce.com, etc.). End with ~all (soft fail) or -all (hard fail). Never end with +all.

    Problem: DMARC is stuck at p=none

    p=none is a monitoring mode. It tells Gmail "do nothing when SPF or DKIM fail." That is not authentication, it is a dry run. Fix: Once you have confirmed SPF and DKIM are passing (via DMARC aggregate reports), change your policy to: ` v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100 `

    Then, after a few weeks of clean reports, move to p=reject.

    Problem: SPF ends in +all

    The +all qualifier means "everyone is allowed to send mail as this domain." It is equivalent to having no SPF at all and is actively dangerous. Fix: Change the final mechanism to ~all (soft fail) or -all (hard fail).

    Problem: Missing DKIM signature

    Most providers will not sign your outbound mail until you explicitly enable DKIM and publish the public key in DNS.

  • Google Workspace: Admin console → Apps → Gmail → Authenticate email → Generate key → copy the TXT record into your DNS.
  • Resend: Add your domain, copy the resend._domainkey TXT record into your DNS, and verify.
  • Mailchimp: Domains → Authenticate → add the provided CNAME records.
  • Postmark, SendGrid, Mailgun, Brevo: all follow the same pattern — generate a key in the provider dashboard, paste the record into DNS, wait for verification.

    • Re-run the free SPF DKIM DMARC checker after making changes to confirm everything resolves.

    Google and Yahoo sender requirements (February 2024)

    In February 2024, Google and Yahoo rolled out new rules for anyone sending more than 5,000 messages per day to Gmail or Yahoo users. These rules apply to transactional, marketing, and cold outbound mail alike. The requirements are:

  • SPF and DKIM must both be configured and passing for your sending domain.
  • DMARC must be published with at least p=none (though quarantine or reject is strongly encouraged).
  • DMARC alignment is required — the From:` domain must align with the SPF or DKIM signing domain.
  • One-click unsubscribe (RFC 8058) must be implemented for marketing mail.
  • Spam complaint rate must stay under 0.3% (with a 0.1% target).
  • Reverse DNS (PTR) must be set on your sending IP.
  • Valid forward and reverse DNS must match.
  • TLS encryption is required for SMTP connections.

    • What happens if you fail? Gmail and Yahoo will rate-limit you first, then reject your mail outright. We have seen senders go from 98% inbox placement to 12% inbox placement in 72 hours when they lost compliance. Recovering takes weeks — often a full domain warm-up cycle on a fresh subdomain.

    The good news: running a free SPF DKIM DMARC checker once a month is enough to catch drift before it turns into a delivery emergency.

    Run the free check now

    Fixing your email authentication is one of the highest-leverage things you can do for your business this week. Better deliverability means every email you send is worth more — every cold pitch, every invoice, every newsletter, every password reset.

    Run the free SPF DKIM DMARC checker on your domain now at weleadlab.com/website-analyzer/. Thirty seconds. No signup. All 13 checks. See exactly what is broken and how to fix it.

    FAQ

    Is the WeLead Lab SPF DKIM DMARC checker really free?

    Yes. All 13 email authentication checks — SPF, DKIM, DMARC, BIMI, MTA-STS, TLSRPT, reverse DNS, MX, and Google/Yahoo bulk sender compliance — are completely free to run. No signup, no credit card, no rate limits for normal use.

    How do you check DKIM without knowing my selector?

    Our checker probes the 20 most common DKIM selectors used by major providers (Google Workspace, Microsoft 365, Resend, Mailgun, Mailchimp, Postmark, SendGrid, Amazon SES, Brevo, and others). If your provider uses a custom selector we don't detect, you will see a warning — that does not mean DKIM is broken, only that we couldn't auto-detect it.

    What is the difference between SPF, DKIM, and DMARC?

    SPF lists which servers are allowed to send mail as your domain. DKIM cryptographically signs each message to prove it came from you and was not altered. DMARC is the policy that tells receivers what to do when SPF or DKIM fail, and it enables reporting so you can see who is sending as your domain. You need all three for modern email deliverability.

    Will fixing SPF and DMARC actually get my emails out of spam?

    In most cases, yes — but only if spam placement is being caused by authentication failures. Other factors include sending IP reputation, content quality, complaint rates, and list hygiene. Authentication is the foundation; fixing it is necessary but not always sufficient. Run the free SPF DKIM DMARC checker first to rule out the easy wins.

    How often should I run the checker?

    Run it once now to establish a baseline, then monthly to catch drift. Also run it whenever you add a new email provider, migrate DNS, change hosting, or notice a sudden drop in open rates — those are the moments when SPF or DKIM most often breaks silently. Google and Yahoo won't send you a warning, so you have to check yourself.

    VK
    Vladimir Kamenev
    Founder

    25 years in industry

    Want us to build your website free?

    Custom website + 30+ SEO articles/month + AI search optimization. $500/month, no contracts.

    Get Your Free Website →