How do you verify all authentication records (SPF, DKIM, DMARC, BIMI)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've set up SPF, DKIM, DMARC, and maybe even BIMI. But how do you actually confirm they're all in place and doing what they should? Here's how to check each one, what to look for, and what a valid result actually looks like.
SPF
Your SPF record lives at your domain's root (the "apex"), published as a TXT record. To check it from the command line, run dig TXT yourdomain.com. You're looking for a record that starts with v=spf1. A valid SPF record lists the mail servers authorized to send on your behalf, and ends with either ~all (soft fail) or -all (hard fail). If you see nothing, or multiple records starting with v=spf1, there's a problem. You can only have one.
If you'd rather skip the terminal, our free SPF checker does the same thing in your browser and flags common mistakes too.
DKIM
DKIM is a little trickier because you need to know your DKIM selector before you can look anything up. The selector is a short string your ESP assigns (often something like google, s1, or mail). Your ESP's documentation or DNS settings should tell you what yours is.
Once you have it, run dig TXT selector._domainkey.yourdomain.com. A valid result returns a TXT record containing v=DKIM1 and a public key starting with p=. If the p= value is empty or missing entirely, the key has been revoked or never properly published.
DMARC
DMARC always lives at _dmarc.yourdomain.com, so there's no selector to hunt down. Run dig TXT _dmarc.yourdomain.com and look for a record starting with v=DMARC1. The two things to check straight away are the policy (p=none, p=quarantine, or p=reject) and whether there's a reporting address in the rua= tag. Without a reporting address, you're flying blind even if the policy is set correctly.
But you can paste your raw DMARC record into our free DMARC parser to see exactly what each tag means in plain English.
BIMI
BIMI is optional, but if you've set it up, the record lives at default._bimi.yourdomain.com. Run dig TXT default._bimi.yourdomain.com and look for v=BIMI1, a l= tag pointing to your SVG logo, and optionally an a= tag pointing to your VMC certificate. Without a VMC, BIMI works in some mailboxes but not all (Gmail requires the certificate).
Putting it all together
Running all four checks manually is fine, but the real goal is understanding what "valid" means for each one. SPF tells receivers who's allowed to send. DKIM proves the message wasn't tampered with. DMARC tells receivers what to do when either check fails. BIMI is the visual layer on top. Miss one, and you've got a gap that can hurt your alignment or leave your domain open to spoofing.
If you want a single view of all four for your domain, our DKIM checker and SPF checker are both free. Or if something looks off and you're not sure why, reach out on the SOS hotline and we'll take a look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.