Check email authentication by sending a test email and inspecting the Authentication-Results header for spf=pass, dkim=pass, and dmarc=pass. Use MXToolbox to validate DNS records, mail-tester.com for a quick score, and DMARC aggregate reports for ongoing monitoring. Don't rely on a single method — DNS checks confirm records exist, but only live sending tests confirm they actually work.
How to Check If Your Email Authentication Is Working
Method 1: Send a Test Email
The most reliable check. Send an email from your domain and inspect the headers.
In Gmail: Open the message → three dots → Show original In Outlook: Open the message → File → Properties → Internet headers In Apple Mail: View → Message → All Headers
Look for the Authentication-Results header:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender)
[email protected];
dkim=pass header.d=example.com header.s=google header.b=abc123;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
You want all three: spf=pass, dkim=pass, dmarc=pass.
Method 2: Online Tools
Quick score: Send to mail-tester.com — gives you a 1-10 score with detailed breakdown.
DNS validation:
- MXToolbox SPF Checker — validates SPF syntax and lookup count
- MXToolbox DKIM Lookup — checks DKIM DNS records
- MXToolbox DMARC Lookup — validates DMARC syntax
BIMI check: BIMI Inspector — validates your BIMI record and logo format.
Practitioner note: MXToolbox showing a valid record doesn't mean authentication works. I've seen correct SPF records that still fail because the ESP wasn't actually sending from those IPs. Always confirm with a real sending test — DNS validation alone isn't enough.
Method 3: Command Line
If you're comfortable with the terminal:
# Check SPF
dig TXT example.com +short
# Check DMARC
dig TXT _dmarc.example.com +short
# Check DKIM (replace 'google' with your selector)
dig TXT google._domainkey.example.com +short
# Check MTA-STS
dig TXT _mta-sts.example.com +short
# Check TLS-RPT
dig TXT _smtp._tls.example.com +short
Method 4: DMARC Aggregate Reports
For ongoing monitoring, DMARC aggregate reports are essential. They show you:
- Every IP sending email as your domain
- Whether each sender passes or fails SPF, DKIM, and DMARC
- Volume trends over time
Use a parser like dmarcian, Postmark DMARC, or EasyDMARC. Check reports weekly at minimum.
Method 5: Google Postmaster Tools
If you send to Gmail recipients, Google Postmaster Tools shows:
- SPF and DKIM authentication rates
- Domain reputation
- Spam rate
- Encryption percentage
This is the closest you'll get to seeing how Gmail specifically evaluates your authentication.
Practitioner note: The authentication check I run most often during audits: send from every service that uses the domain (not just the primary email), and check headers on each one. People assume if Gmail Workspace passes, everything passes. Their Zendesk, Stripe, and CRM often tell a different story.
What to Do When Something Fails
| Result | Meaning | Fix |
|---|---|---|
spf=fail | Sending IP not in SPF record | Add the service's include to your SPF record |
spf=softfail | IP not authorized but not hard-failing | Same fix — add the include |
dkim=fail | DKIM signature invalid or missing | Configure DKIM for that sender |
dmarc=fail | Neither SPF nor DKIM aligned | Check alignment settings and fix the underlying SPF/DKIM issue |
For a professional review of your complete authentication setup, schedule a consultation.
Sources
- MXToolbox: Email Health Check
- Google: Postmaster Tools
- mail-tester.com: Email Score
- dmarcian: DMARC Tools
v1.0 · April 2026
Frequently Asked Questions
How do I check my SPF record?
Use MXToolbox SPF checker or run dig TXT yourdomain.com. Verify the record includes all your sending services and stays under 10 DNS lookups. Then send a test email and check headers for spf=pass.
How do I verify DKIM is working?
Send a test email and view the full headers. Look for dkim=pass in the Authentication-Results header. Also verify the DNS record exists: dig TXT selector._domainkey.yourdomain.com (replace selector with your DKIM selector name).
What does dmarc=pass mean in email headers?
dmarc=pass means either SPF or DKIM (or both) passed authentication AND aligned with the From domain. This is the result you want — it means your email is fully authenticated.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.