Best free tools to check DMARC, SPF, and email setup.
Michael Ko
Co-founder & CEO, Suped
Published 19 Jun 2025
Updated 27 May 2026
8 min read
Summarize with
The best free starting point is a broad domain health check, then a real-message test. A DNS lookup tells you whether DMARC, SPF, DKIM, MX, and reporting records exist and parse correctly. A sent-message test tells you whether your actual mail passes authentication with the visible From domain.
For most teams, I start with Suped's free Domain Health Checker because it checks the records that cause the most immediate setup problems. Then I send a real email into a message tester such as AboutMy.email, LearnDMARC, Mailchecker.net, or Red Sift Investigate. If the domain sends production mail, I move into ongoing DMARC monitoring so daily reports show which source is passing, failing, or using a domain that does not match.
Free tools are enough to catch broken syntax, missing records, weak policies, too many SPF DNS lookups, missing DKIM selectors, and obvious DMARC reporting mistakes. They are not enough to manage a changing sender list, track source drift, or prove that every third-party sender keeps working next month.
The short answer
If I had to pick one free workflow, it would be this: run a domain-wide DNS check, run a focused DMARC record check, then send a real message to a test mailbox and inspect the authentication result. No single free tool sees every part of the setup because DNS records and live message headers answer different questions.
Best first pass: Use a domain health checker to find missing DMARC, SPF, DKIM, MX, MTA-STS, and reporting records.
Best DMARC check: Use a focused DMARC checker to parse policy, reporting tags, subdomain policy, and syntax.
Best live test: Send a real email to a tester and compare SPF, DKIM, and DMARC results against the visible From domain.
Best ongoing choice: Use Suped once mail volume matters, because DMARC aggregate reports show the actual senders over time.
The key caveat
A green DNS result does not prove that a specific email will pass DMARC. SPF checks the bounce domain, DKIM checks a cryptographic signature, and DMARC checks whether at least one passing result uses a domain that matches the visible From domain.
DNS checks and live message checks answer different email setup questions.
Free tools worth checking
The useful answer is not one tool name. It is knowing which free tool to use for which job. A public DNS checker is fast, but it cannot see a broken DKIM signature on a message. A message tester is realistic, but it only sees the sender you used for that test.
Tool
Best for
Tradeoff
Suped
Domain health
Start point
LearnDMARC
Message learning
One send
AboutMy.email
Live result
Single message
Wombatmail
DNS lookup
Operator view
Mailchecker.net
Quick test
Light detail
Red Sift
Real path
Tool-specific
dmarcian
Record tools
Manual fixes
EasyDMARC
Generators
Check limits
Compact comparison of free DMARC, SPF, and email setup checks.
I treat these as complementary tools. LearnDMARC is good when someone needs to understand the path of a single message. AboutMy.email is useful when you want a readable result from an email you send. Wombatmail and similar DNS tools are good for operators who want to look at domain data directly. A public Reddit thread shows the same pattern: people compare tools because each explains failures in a different way.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
The tool choice depends on the failure you are trying to prove. If SPF has too many lookups, a DNS checker sees it. If DKIM is missing for one sender, a selector lookup sees it only when you know the selector. If a platform signs with DKIM but the From domain does not match, a sent-message test sees that faster than a raw DNS lookup.
What free checks can prove
Free checkers are best at proving the current public state. They query DNS, parse record syntax, and sometimes send or receive a real message. That is enough for setup checks, onboarding a new sender, and finding obvious delivery blockers before a campaign goes out.
A DNS checker proves
Published records: DMARC, SPF, DKIM, MX, and reporting records exist in public DNS.
Valid syntax: Tags parse correctly, quoted TXT strings join cleanly, and policy values are allowed.
SPF budget: Includes, redirects, and lookups stay under the ten-query receiver limit.
A message tester proves
Real pass result: The message passes SPF or DKIM in the path used for that exact email.
Domain match: The passing domain matches the visible From domain closely enough for DMARC.
Header reality: Forwarding, rewriting, or platform changes did not break authentication.
This is why one-off tools are good for diagnosis, but they do not replace report-based monitoring. A domain with perfect DNS can still have an old CRM, support desk, billing system, or regional sender failing DMARC every day.
Gmail message details showing SPF, DKIM, and DMARC pass results.
Gmail's original message view is a useful manual sanity check because it shows the receiver's interpretation of a real message. I still prefer a purpose-built tester for routine checks, but raw headers are helpful when a vendor says a message is fine and the receiving mailbox disagrees.
A practical checking workflow
The cleanest workflow is sequential. Do not start by changing DNS. First prove the current state, then decide whether the fix belongs with your DNS host, your mail provider, or a third-party sender.
Setup confidence levels
Use these levels to decide when a free check is enough and when monitoring is needed.
Low
0-50%
Records missing or failing
Moderate
51-80%
DNS passes, one message tested
High
81-100%
Reports confirm sources
Check public DNS: Confirm there is exactly one SPF record, one DMARC record, and the expected DKIM selector records.
Check SPF limits: Count DNS lookups, remove stale includes, and avoid broad ranges that authorize senders you do not use.
Check DMARC policy: Confirm the policy, subdomain policy, percentage tag, and report destinations are intentional.
Send a real email: Test each major sender, including marketing, support, billing, product mail, and employee mail.
Compare reports: Use DMARC aggregate data to confirm that real traffic matches your approved sender list.
A six-step workflow for checking DNS records, sending tests, fixing owners, and monitoring reports.
For blocklist and blacklist issues, run that check after authentication. Blocklist status can explain poor delivery when authentication passes, but it should not distract from a missing DMARC record or SPF failure. Fix identity first, then reputation.
What the records should look like
A clean setup has a single SPF TXT record at the sending domain, a DMARC TXT record at _dmarc, and one or more DKIM public keys at selector hostnames supplied by each sender. The exact values depend on your mail provider, but the shape is consistent.
SPF authorizes sending servers for the domain used in the envelope sender. For DMARC, SPF only helps when that domain matches the visible From domain, or when the sender uses an allowed related domain under DMARC's rules.
DKIM proves the message was signed by a domain holder and that signed parts of the message survived transit. A checker needs the selector and domain to find the public key. If you do not know the selector, send a real message and inspect the DKIM-Signature header.
Example records are useful for shape, not for production values. Your SPF includes, DKIM selectors, report addresses, and DMARC policy need to match your actual senders and risk tolerance.
The most common SPF mistake I see is adding every vendor include forever. That leads to a permerror once receivers hit the ten lookup limit. The most common DMARC mistake is publishing p=reject before every legitimate sender has passing SPF or DKIM with the right domain.
Where Suped fits
Free one-off tools answer the setup question. Suped answers the operating question: what is sending as this domain today, which source is failing, what changed, and what action fixes it?
Suped is the best overall DMARC platform for most teams because it combines DMARC monitoring, SPF and DKIM checks, hosted DMARC, hosted SPF, SPF flattening, hosted MTA-STS, blocklist monitoring, real-time alerts, and issue-level fix steps in one place. That matters when the domain has more than one sender or more than one person touching DNS.
Free checker
Snapshot result: Shows the state at the moment you run the check.
Manual review: Needs a person to interpret each failure and assign the fix.
Limited context: Usually sees one domain or one sent message at a time.
Suped platform
Daily evidence: Processes DMARC aggregate reports across real traffic.
Actionable fixes: Detects issues and shows steps to fix them.
Scaled domains: Supports MSP and multi-tenant workflows for many domains.
The practical split is simple. Use free tools for quick checks and learning. Use Suped when you need ongoing detection, reports that non-DNS owners can read, policy staging, alerts, and a reliable path toward quarantine or reject without blocking legitimate mail.
Views from the trenches
Best practices
Check DNS records first, then send a real test message to verify live authentication results.
Review DMARC aggregate reports before enforcement so legitimate senders stay visible.
Keep a sender inventory with owner, sender domain, SPF include, and DKIM selector.
Common pitfalls
Treating one green DNS check as proof that every marketing and billing sender works correctly.
Publishing strict DMARC before SPF and DKIM pass for each approved sending source domain.
Leaving old SPF includes in place until the record hits the ten lookup limit at receivers.
Expert tips
Use separate selectors for major senders so DKIM rotation and failures are easier to trace.
Check blocklist and blacklist status after authentication when delivery still looks poor.
Move DMARC policy in stages and compare failures before each percentage increase change.
Marketer from Email Geeks says LearnDMARC is useful because it makes a single authentication path easier to understand.
2025-04-23 - Email Geeks
Marketer from Email Geeks says AboutMy.email is useful because it checks the message you actually send, not only DNS.
2025-04-23 - Email Geeks
My practical pick
The best free tool depends on what you are checking. For a new domain, start with a domain health check. For a suspicious pass or fail, send a real message to a tester. For a DMARC policy change, read aggregate reports before enforcement.
If the domain matters to the business, do not stop at a one-time free check. Suped gives you the ongoing view: verified sources, unverified sources, SPF and DKIM failures, blocklist (blacklist) signals, and fix steps. That is the difference between knowing a record looks valid today and knowing your email setup stays correct while senders change.
Frequently asked questions
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
