Skip to content

Email Auth Validator

The InteSys Email Auth Validator checks SPF, DKIM, and DMARC records for any domain, identifying configuration errors and providing actionable recommendations. Access it at intesys.io/tools/emailauth.

What It Validates

SPF (Sender Policy Framework)

The validator checks your SPF record for:

  • Record existence — Does a valid SPF TXT record exist?
  • Syntax — Is the record properly formatted according to RFC 7208?
  • Lookup count — Does the record stay within the 10 DNS lookup limit?
  • Mechanisms — Are include, ip4, ip6, and other mechanisms valid?
  • Qualifier — Is the all mechanism set to -all (reject), ~all (soft fail), or ?all (neutral)?
  • Duplicate records — Only one SPF record is allowed per domain

DKIM (DomainKeys Identified Mail)

To validate DKIM, enter the domain and the DKIM selector (e.g., intesys or google):

  • Key existence — Does the DKIM public key record exist at selector._domainkey.domain?
  • Key format — Is the public key properly formatted?
  • Key size — Is the RSA key at least 1024 bits (2048 recommended)?
  • Algorithm — Which signing algorithm is configured (RSA, Ed25519)?

DMARC (Domain-based Message Authentication, Reporting and Conformance)

  • Record existence — Does a DMARC record exist at _dmarc.domain?
  • Policy — What action is specified for failures (none, quarantine, reject)?
  • Subdomain policy — Is sp= set for subdomain handling?
  • Reporting — Are rua (aggregate) and ruf (forensic) report addresses configured?
  • Percentage — What percentage of messages does the policy apply to?
  • Alignment — SPF and DKIM alignment mode (strict vs relaxed)

How to Use

  1. Navigate to intesys.io/tools/emailauth
  2. Enter the domain you want to validate (e.g., example.com)
  3. Optionally enter a DKIM selector to check DKIM records
  4. Click Validate
  5. Review results for each authentication method

Understanding Results

Each check returns one of three statuses:

Status Meaning
Pass Record is correctly configured
Warning Record exists but has suboptimal settings
Fail Record is missing or misconfigured

Common Warnings and Fixes

SPF: Too many DNS lookups

Your SPF record exceeds the 10-lookup limit. Consolidate include mechanisms, replace hostnames with ip4/ip6 ranges where possible, or use SPF flattening services.

DMARC: Policy set to none

A p=none policy only monitors — it does not protect your domain from spoofing. After confirming legitimate sources pass authentication, move to p=quarantine and eventually p=reject.

DKIM: Key size below 2048 bits

While 1024-bit keys are still functional, 2048-bit RSA keys are recommended for long-term security. Ask your email provider to rotate to a larger key.

Typical Workflow

  1. Initial check — Run the validator on your domain to see current status
  2. Fix issues — Update DNS records based on the recommendations
  3. Wait for propagation — DNS changes can take up to 48 hours (usually minutes)
  4. Re-validate — Run the tool again to confirm fixes
  5. Periodic monitoring — Re-check monthly or after any DNS changes

Use Before Going Live

Always validate your email authentication records before launching a new domain, migrating email providers, or enabling transactional email sending. Catching errors before production saves deliverability reputation.