How to Check if Your Domain Has SPF, DKIM, DMARC and DNSSEC Configured Correctly
SPF, DKIM, DMARC and DNSSEC are the four DNS-level controls that decide whether attackers can spoof your domain or hijack your traffic. Most domains have at least one of them broken or missing — usually DKIM or DNSSEC. This guide shows you exactly how to check each one (with copy-paste commands), what 'configured correctly' actually means, and how to fix the common mistakes. If you'd rather skip the manual work, our free scanner runs all four checks plus 166 others in 30 seconds.
The shortlist
1. 1. Check SPF
TXT record at the apex (yourdomain.com)Authorising sending IPs
Pros- Command: dig +short TXT yourdomain.com | grep spf1
- Look for: v=spf1 ... -all (hard fail) or ~all (soft fail)
- Stay under 10 DNS lookups (RFC 7208 §4.6.4) — flatten if you're over
Watch-outs- Common mistake: ending with +all (allows everyone)
- Common mistake: more than one SPF record on the same name
2. 2. Check DKIM
TXT record at selector._domainkey.yourdomain.comCryptographically signing outbound mail
Pros- Command: dig +short TXT google._domainkey.yourdomain.com (selector varies per provider)
- Look for: v=DKIM1; k=rsa; p=<long base64 public key>
- Each sending platform (Google, Microsoft 365, SendGrid, Mailgun) has its own selector
Watch-outs- Common mistake: forgetting to publish a selector after a provider migration
- Common mistake: using a 1024-bit key — modern receivers prefer 2048-bit
3. 3. Check DMARC
TXT record at _dmarc.yourdomain.comTelling receivers what to do when SPF/DKIM fail
Pros- Command: dig +short TXT _dmarc.yourdomain.com
- Look for: v=DMARC1; p=quarantine|reject; rua=mailto:dmarc@...
- Aim for p=reject once aggregate reports are clean
Watch-outs- Common mistake: stopping at p=none — that's monitoring only, no protection
- Common mistake: no rua address — you're flying blind on spoofing attempts
4. 4. Check DNSSEC
Signed at the registrar / DNS provider levelCryptographically signing all DNS responses
Pros- Command: dig +dnssec yourdomain.com — look for the 'ad' flag in the header
- Or: dig DS yourdomain.com — should return one or more DS records at the parent zone
- Use https://dnsviz.net for a full chain-of-trust visualisation
Watch-outs- Common mistake: enabling DNSSEC at the DNS host but not publishing the DS record at the registrar
- Common mistake: rolling keys without coordinating with the registrar — outage in 4 hours
At a glance
| Feature | Security Monitor | Others |
|---|---|---|
| SPF | v=spf1 ... -all, <10 lookups | tools/spf |
| DKIM | 2048-bit selector per sender | manual dig per selector |
| DMARC | p=quarantine or p=reject + rua | tools/dmarc |
| DNSSEC | DS record published at registrar | dig +dnssec / dnsviz.net |
| MTA-STS (bonus) | Policy file at mta-sts.yourdomain.com | Often missed |
| BIMI (bonus) | VMC + selector record | Requires verified logo |
Frequently asked questions
How do I check if my domain has SPF, DKIM, DMARC and DNSSEC?
Run these four dig commands: (1) SPF: dig +short TXT yourdomain.com | grep spf1 — should return a single record ending in -all or ~all. (2) DKIM: dig +short TXT <selector>._domainkey.yourdomain.com — selector depends on your provider. (3) DMARC: dig +short TXT _dmarc.yourdomain.com — look for p=quarantine or p=reject. (4) DNSSEC: dig DS yourdomain.com — should return DS records. Or run a free Security Monitor scan and get all four results in one report.
What does 'correctly configured' mean for each?
SPF is correct when you have exactly one v=spf1 TXT record, fewer than 10 DNS lookups, and end with -all (hard fail) or ~all (soft fail) — never +all. DKIM is correct when every sending platform has a published selector with a 2048-bit key. DMARC is correct when policy is at least p=quarantine (ideally p=reject) and an aggregate (rua) reporting address is set. DNSSEC is correct when the chain of trust validates end-to-end — DS at the registrar matches DNSKEY at the zone.
Can I check SPF, DKIM, DMARC and DNSSEC online without using dig?
Yes. Security Monitor's free scan checks all four (plus 166 other security signals) in 30 seconds and shows you the raw record, the policy strength, common mistakes, and exact copy-paste fixes. MXToolbox SuperTool and dnsviz.net are also widely used.
What happens if SPF, DKIM or DMARC is misconfigured?
If SPF or DKIM is wrong, your legitimate email starts landing in spam — and attackers can spoof your domain to your customers. If DMARC is missing or stuck on p=none, receivers have no instruction when authentication fails, so spoofed mail still gets through. If DNSSEC is partially configured (for example DNSKEY published but no DS at the registrar), DNS validation can fail and your entire domain may stop resolving for DNSSEC-validating resolvers.
Should small businesses bother with DNSSEC?
Yes. DNSSEC is a one-time setup at your registrar and DNS provider, costs nothing extra at most providers (Cloudflare, Route53, Gandi), and protects you from DNS cache poisoning that could redirect customers to phishing sites or hijack your email routing. The only real risk is misconfiguring the DS record — which is exactly what a scanner catches.
See where your domain stands in 30 seconds
One free scan, no signup. 170+ checks across web, email, DNS, TLS, breaches and reputation.
Run free scan