How it works
- 1
Enter a domain
Type any domain name. The tool doesn't need an email address — just the domain (e.g. yourcompany.com).
- 2
6 checks run in parallel
SPF, DKIM (18 common selectors), DMARC, MX, BIMI, and MTA-STS DNS lookups all fire simultaneously via Cloudflare DoH.
- 3
Review health score and fix issues
Expand any failed check to see the raw DNS record, parsed fields, and actionable fix instructions.
DNS Email Diagnostics
Comprehensive email authentication check — SPF, DMARC, DKIM, MX, BIMI, and MTA-STS in a single lookup.
Runs 5+ parallel DNS lookups via Cloudflare DoH + probes 17 DKIM selectors. 0/10 free today
🔍
6 checks in one
SPF, DKIM (18 selectors), DMARC, MX, BIMI, MTA-STS — all run in parallel.
⚡
Instant results
All DNS queries run via Cloudflare DoH concurrently. Most domains resolve in under 3 seconds.
🛡️
Privacy-respecting
Only your domain name is queried. No email addresses, no content, no tracking.
🛡️ Verify zero uploads — open DevTools → Network tab
Open your browser's DevTools (F12), go to the Network tab, and use this tool. You will see zero outbound requests — all processing runs inside your browser sandbox via WebAssembly or pure JavaScript. Nothing you paste or upload is ever sent anywhere.
Use cases
Pre-send deliverability check
Before a major email campaign, verify the sending domain has valid SPF, DKIM, and DMARC — the three records that determine inbox vs. spam.
New domain email setup audit
After provisioning a new domain for email, confirm all 6 authentication records are in place before going live.
Vendor email domain due diligence
Check a third-party vendor's email authentication setup before allowing them to send on your behalf or adding them to a shared brand.
Frequently Asked Questions
What is the difference between SPF, DKIM, and DMARC?
SPF (TXT record) authorises which servers can send email from your domain. DKIM (TXT record at {selector}._domainkey.{domain}) adds a cryptographic signature to outgoing messages. DMARC (TXT record at _dmarc.{domain}) ties SPF and DKIM together and tells receiving servers what to do with unauthenticated mail (none/quarantine/reject). You need all three for strong email authentication.
Why doesn't the tool find my DKIM record?
DKIM records are stored at a custom selector path chosen by your email provider (e.g. google._domainkey or s1._domainkey). This tool checks 18 common selectors. If yours isn't found, check your provider's DNS setup page for the exact selector name, then query {selector}._domainkey.{yourdomain} in your DNS manager.
What is MTA-STS and why does it matter?
MTA-STS (RFC 8461) forces SMTP servers sending to your domain to use TLS. Without it, a man-in-the-middle attacker can downgrade delivery to unencrypted SMTP. MTA-STS requires a TXT record at _mta-sts.{domain} and a policy file at https://mta-sts.{domain}/.well-known/mta-sts.txt.
Why is BIMI shown as 'skip' and not 'fail'?
BIMI is optional — it adds your brand logo to inbox previews but has no impact on email deliverability. Not having a BIMI record is fine for most senders. The tool marks it as 'skip' (not 'fail') so a missing BIMI doesn't drag down your health score.
My DMARC policy is p=none — is that a problem?
p=none is a monitoring-only policy. It means receiving servers report back to your rua= address but don't quarantine or reject unauthenticated mail. It's fine as a starting point, but you should move to p=quarantine or p=reject once you've verified your legitimate senders are all authenticated.
Is data about the domains I check stored anywhere?
No. DNS lookups go directly from your browser to Cloudflare's DNS-over-HTTPS endpoint. No domain names or results are stored on Aarunya Apps servers.
Want unlimited access + saved history?
Pro is $6/month · 30-day money-back guarantee.
Official specifications & references
RFC 7208 — Sender Policy Framework (SPF)
Defines SPF record syntax, mechanisms (+/−/~/? qualifiers), and the 10-lookup limit.
RFC 6376 — DomainKeys Identified Mail (DKIM)
DKIM signature standard — public key DNS record format and signature verification.
RFC 7489 — DMARC
Domain-based Message Authentication, Reporting, and Conformance — policy and reporting spec.
RFC 8461 — MTA-STS
SMTP MTA Strict Transport Security — forces TLS for inbound SMTP delivery.
BIMI Group — Specification
Brand Indicators for Message Identification — the logo-in-inbox standard.
OWASP — Email Security Cheat Sheet
OWASP guidance on SPF, DKIM, DMARC hardening and common email attack vectors.
Embed or share this toollink · markdown · html · iframe
https://aarunyaapps.com/email-diagnostics