Quick Answer

An email authentication audit checks SPF record validity and lookup count, DKIM key presence and signing, DMARC record syntax and policy level, alignment between all three protocols, MTA-STS deployment, and BIMI configuration. Run this audit quarterly or after any changes to your email infrastructure. Use MXToolbox for DNS checks, aggregate reports for ongoing monitoring, and manual header inspection for verification.

Email Authentication Audit Checklist: Verify Everything Is Correct

By Braedon·Mailflow Authority·Email Authentication·Updated 2026-06-10

The Complete Checklist

SPF Audit

  • SPF record exists as a single TXT record at the apex domain
  • Record starts with v=spf1
  • All sending services are included (ESP, CRM, helpdesk, billing, etc.)
  • No services listed that you no longer use
  • Total DNS lookups are under 10 (check here)
  • Record ends with -all or ~all (not +all — never +all)
  • No duplicate SPF records (only one TXT record starting with v=spf1)
  • Record length is under 255 characters per string (or properly split)

DKIM Audit

  • DKIM is enabled for every service that sends email as your domain
  • Key length is 2048-bit (not 1024-bit) where possible
  • DNS records exist for each DKIM selector
  • DKIM alignment passes with the From domain
  • Key rotation schedule exists (or CNAMEs delegate to provider rotation)
  • No orphaned DKIM records for services you no longer use

DMARC Audit

  • DMARC record exists at _dmarc.yourdomain.com
  • Record syntax is valid (v=DMARC1 first)
  • Policy is at p=quarantine or p=reject (not stalled at p=none)
  • rua= tag points to a monitored address
  • Subdomain policy (sp=) is set appropriately
  • Alignment mode matches your sending setup
  • Aggregate reports are being received and parsed
  • No unauthorized senders appearing in reports

MTA-STS Audit

  • DNS TXT record exists at _mta-sts.yourdomain.com
  • Policy file accessible at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  • Policy lists all current MX hosts
  • Mode is enforce (not stuck in testing)
  • SSL certificate for mta-sts subdomain is valid and not expired
  • TLS-RPT is configured

BIMI Audit (If Applicable)

  • DMARC is at p=quarantine or p=reject
  • TXT record exists at default._bimi.yourdomain.com
  • Logo URL is HTTPS and accessible
  • Logo is valid SVG Tiny PS
  • VMC is valid and not expired (for Gmail)

Practitioner note: The audit finding I see most often: SPF records that include services the company stopped using two years ago. Every include costs a DNS lookup, and unused includes waste your limited budget of 10. Clean up old entries every quarter.

How to Run the Audit

Step 1: DNS Record Check

Use MXToolbox or dig to pull every authentication record:

  • dig TXT yourdomain.com (SPF)
  • dig TXT _dmarc.yourdomain.com (DMARC)
  • dig TXT default._bimi.yourdomain.com (BIMI)
  • dig TXT _mta-sts.yourdomain.com (MTA-STS)
  • dig TXT _smtp._tls.yourdomain.com (TLS-RPT)
  • dig CNAME selector._domainkey.yourdomain.com (DKIM for each selector)

Step 2: Live Sending Test

Send a test email to mail-tester.com or check-auth.email. Review the full header analysis for SPF, DKIM, and DMARC results.

You can also inspect headers manually on any received message:

  • In Gmail: Open the message → three dots → Show original
  • In Outlook: Open the message → File → Properties → Internet headers
  • In Apple Mail: View → Message → All Headers

Look for the Authentication-Results header — you want all three: spf=pass, dkim=pass, dmarc=pass.

Practitioner note: A valid DNS record doesn't mean authentication works. I've seen correct SPF records that still fail because the ESP wasn't actually sending from those IPs. Always confirm with a real sending test — and send from every service that uses the domain, not just the primary email. People assume if Gmail Workspace passes, everything passes. Their Zendesk, Stripe, and CRM often tell a different story.

Step 3: Report Review

Pull the last 30 days of DMARC aggregate reports. Look for:

  • Any failing legitimate senders
  • Unknown IPs sending as your domain
  • Volume anomalies

What to Do When Something Fails

ResultMeaningFix
spf=failSending IP not in SPF recordAdd the service's include to your SPF record
spf=softfailIP not authorized but not hard-failingSame fix — add the include
dkim=failDKIM signature invalid or missingConfigure DKIM for that sender
dmarc=failNeither SPF nor DKIM alignedCheck alignment settings and fix the underlying SPF/DKIM issue

Practitioner note: I run this exact checklist for every deliverability audit I do. It takes about an hour per domain. Most domains have 2-3 issues — usually an SPF lookup count problem, a missing DKIM configuration for one sender, and DMARC still at p=none.

Quarterly Reminder

Set a calendar reminder. Authentication configuration drifts over time as people add services, change providers, and forget to update DNS. A quarterly audit catches problems before they affect deliverability.

For a professional audit of your email authentication stack, schedule a consultation.

Sources


v1.0 · April 2026

Frequently Asked Questions

How often should I audit email authentication?

Quarterly at minimum, and immediately after adding a new sending service, changing ESPs, or modifying DNS records. Authentication drift is common — services get added without updating SPF, DKIM keys expire, and policies go stale.

What tools do I need for an email auth audit?

MXToolbox for DNS record validation, a DMARC report parser (dmarcian, Postmark, EasyDMARC), mail-tester.com for quick scoring, and access to email headers for manual verification.

What's the most common auth audit finding?

Missing DKIM for a third-party sender. Someone added a service to SPF but never configured DKIM, so it passes SPF but relies on a single fragile authentication path instead of both.

What does dmarc=pass mean in email headers?

dmarc=pass means either SPF or DKIM (or both) passed authentication AND aligned with the From domain. This is the result you want — it means your email is fully authenticated.

Want this handled for you?

Free 30-minute strategy call. Walk away with a plan either way.