Skip to main content
Aarunya AppsAarunya Apps

How it works

  1. 1

    Enter a domain

    Type any domain name. The tool doesn't need an email address — just the domain (e.g. yourcompany.com).

  2. 2

    6 checks run in parallel

    SPF, DKIM (18 common selectors), DMARC, MX, BIMI, and MTA-STS DNS lookups all fire simultaneously via Cloudflare DoH.

  3. 3

    Review health score and fix issues

    Expand any failed check to see the raw DNS record, parsed fields, and actionable fix instructions.

DNS Email Diagnostics

Comprehensive email authentication check — SPF, DMARC, DKIM, MX, BIMI, and MTA-STS in a single lookup.

Runs 5+ parallel DNS lookups via Cloudflare DoH + probes 17 DKIM selectors. 0/10 free today

🔍

6 checks in one

SPF, DKIM (18 selectors), DMARC, MX, BIMI, MTA-STS — all run in parallel.

Instant results

All DNS queries run via Cloudflare DoH concurrently. Most domains resolve in under 3 seconds.

🛡️

Privacy-respecting

Only your domain name is queried. No email addresses, no content, no tracking.

🛡️ Verify zero uploads — open DevTools → Network tab

Open your browser's DevTools (F12), go to the Network tab, and use this tool. You will see zero outbound requests — all processing runs inside your browser sandbox via WebAssembly or pure JavaScript. Nothing you paste or upload is ever sent anywhere.

Use cases

Pre-send deliverability check

Before a major email campaign, verify the sending domain has valid SPF, DKIM, and DMARC — the three records that determine inbox vs. spam.

New domain email setup audit

After provisioning a new domain for email, confirm all 6 authentication records are in place before going live.

Vendor email domain due diligence

Check a third-party vendor's email authentication setup before allowing them to send on your behalf or adding them to a shared brand.

Frequently Asked Questions

What is the difference between SPF, DKIM, and DMARC?

SPF (TXT record) authorises which servers can send email from your domain. DKIM (TXT record at {selector}._domainkey.{domain}) adds a cryptographic signature to outgoing messages. DMARC (TXT record at _dmarc.{domain}) ties SPF and DKIM together and tells receiving servers what to do with unauthenticated mail (none/quarantine/reject). You need all three for strong email authentication.

Why doesn't the tool find my DKIM record?

DKIM records are stored at a custom selector path chosen by your email provider (e.g. google._domainkey or s1._domainkey). This tool checks 18 common selectors. If yours isn't found, check your provider's DNS setup page for the exact selector name, then query {selector}._domainkey.{yourdomain} in your DNS manager.

What is MTA-STS and why does it matter?

MTA-STS (RFC 8461) forces SMTP servers sending to your domain to use TLS. Without it, a man-in-the-middle attacker can downgrade delivery to unencrypted SMTP. MTA-STS requires a TXT record at _mta-sts.{domain} and a policy file at https://mta-sts.{domain}/.well-known/mta-sts.txt.

Why is BIMI shown as 'skip' and not 'fail'?

BIMI is optional — it adds your brand logo to inbox previews but has no impact on email deliverability. Not having a BIMI record is fine for most senders. The tool marks it as 'skip' (not 'fail') so a missing BIMI doesn't drag down your health score.

My DMARC policy is p=none — is that a problem?

p=none is a monitoring-only policy. It means receiving servers report back to your rua= address but don't quarantine or reject unauthenticated mail. It's fine as a starting point, but you should move to p=quarantine or p=reject once you've verified your legitimate senders are all authenticated.

Is data about the domains I check stored anywhere?

No. DNS lookups go directly from your browser to Cloudflare's DNS-over-HTTPS endpoint. No domain names or results are stored on Aarunya Apps servers.

Want unlimited access + saved history?

Pro is $6/month · 30-day money-back guarantee.

Official specifications & references

Embed or share this toollink · markdown · html · iframe
https://aarunyaapps.com/email-diagnostics

Related Tools