How do you verify all authentication records (SPF, DKIM, DMARC, BIMI)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up SPF, DKIM, DMARC, and maybe even BIMI. But how do you actually confirm they're all in place and doing what they should? Here's how to check each one, what to look for, and what a valid result actually looks like.

SPF

Your SPF record lives at your domain's root (the "apex"), published as a TXT record. To check it from the command line, run dig TXT yourdomain.com. You're looking for a record that starts with v=spf1. A valid SPF record lists the mail servers authorized to send on your behalf, and ends with either ~all (soft fail) or -all (hard fail). If you see nothing, or multiple records starting with v=spf1, there's a problem. You can only have one.

If you'd rather skip the terminal, our free SPF checker does the same thing in your browser and flags common mistakes too.

DKIM

DKIM is a little trickier because you need to know your DKIM selector before you can look anything up. The selector is a short string your ESP assigns (often something like google, s1, or mail). Your ESP's documentation or DNS settings should tell you what yours is.

Once you have it, run dig TXT selector._domainkey.yourdomain.com. A valid result returns a TXT record containing v=DKIM1 and a public key starting with p=. If the p= value is empty or missing entirely, the key has been revoked or never properly published.

DMARC

DMARC always lives at _dmarc.yourdomain.com, so there's no selector to hunt down. Run dig TXT _dmarc.yourdomain.com and look for a record starting with v=DMARC1. The two things to check straight away are the policy (p=none, p=quarantine, or p=reject) and whether there's a reporting address in the rua= tag. Without a reporting address, you're flying blind even if the policy is set correctly.

But you can paste your raw DMARC record into our free DMARC parser to see exactly what each tag means in plain English.

BIMI

BIMI is optional, but if you've set it up, the record lives at default._bimi.yourdomain.com. Run dig TXT default._bimi.yourdomain.com and look for v=BIMI1, a l= tag pointing to your SVG logo, and optionally an a= tag pointing to your VMC certificate. Without a VMC, BIMI works in some mailboxes but not all (Gmail requires the certificate).

Putting it all together

Running all four checks manually is fine, but the real goal is understanding what "valid" means for each one. SPF tells receivers who's allowed to send. DKIM proves the message wasn't tampered with. DMARC tells receivers what to do when either check fails. BIMI is the visual layer on top. Miss one, and you've got a gap that can hurt your alignment or leave your domain open to spoofing.

If you want a single view of all four for your domain, our DKIM checker and SPF checker are both free. Or if something looks off and you're not sure why, reach out on the SOS hotline and we'll take a look with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check your authentication records

Help me verify my email authentication setup. My domain is your domain and I send through your ESP or mail server. Please check each of the following and tell me whether each record is valid, what each tag means, and whether anything looks misconfigured: SPF record, DKIM record (selector: your selector, if known), DMARC record, and BIMI record (if set up). Flag any missing records or settings that could affect deliverability.

Edit the yellow boxes, then send to the AI of your choice.