Email Authentication Audit Checklist: Verify Everything Is Correct

The Complete Checklist

SPF Audit

• SPF record exists as a single TXT record at the apex domain
• Record starts with v=spf1
• All sending services are included (ESP, CRM, helpdesk, billing, etc.)
• No services listed that you no longer use
• Total DNS lookups are under 10 (check here)
• Record ends with -all or ~all (not +all — never +all)
• No duplicate SPF records (only one TXT record starting with v=spf1)
• Record length is under 255 characters per string (or properly split)

DKIM Audit

• DKIM is enabled for every service that sends email as your domain
• Key length is 2048-bit (not 1024-bit) where possible
• DNS records exist for each DKIM selector
• DKIM alignment passes with the From domain
• Key rotation schedule exists (or CNAMEs delegate to provider rotation)
• No orphaned DKIM records for services you no longer use

DMARC Audit

• DMARC record exists at _dmarc.yourdomain.com
• Record syntax is valid (v=DMARC1 first)
• Policy is at p=quarantine or p=reject (not stalled at p=none)
• rua= tag points to a monitored address
• Subdomain policy (sp=) is set appropriately
• Alignment mode matches your sending setup
• Aggregate reports are being received and parsed
• No unauthorized senders appearing in reports

MTA-STS Audit

• DNS TXT record exists at _mta-sts.yourdomain.com
• Policy file accessible at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
• Policy lists all current MX hosts
• Mode is enforce (not stuck in testing)
• SSL certificate for mta-sts subdomain is valid and not expired
• TLS-RPT is configured

BIMI Audit (If Applicable)

• DMARC is at p=quarantine or p=reject
• TXT record exists at default._bimi.yourdomain.com
• Logo URL is HTTPS and accessible
• Logo is valid SVG Tiny PS
• VMC is valid and not expired (for Gmail)

Practitioner note: The audit finding I see most often: SPF records that include services the company stopped using two years ago. Every include costs a DNS lookup, and unused includes waste your limited budget of 10. Clean up old entries every quarter.

How to Run the Audit

Step 1: DNS Record Check

Use MXToolbox or dig to pull every authentication record:

• dig TXT yourdomain.com (SPF)
• dig TXT _dmarc.yourdomain.com (DMARC)
• dig TXT default._bimi.yourdomain.com (BIMI)
• dig TXT _mta-sts.yourdomain.com (MTA-STS)
• dig TXT _smtp._tls.yourdomain.com (TLS-RPT)
• dig CNAME selector._domainkey.yourdomain.com (DKIM for each selector)

Step 2: Live Sending Test

Send a test email to mail-tester.com or check-auth.email. Review the full header analysis for SPF, DKIM, and DMARC results.

Step 3: Report Review

Pull the last 30 days of DMARC aggregate reports. Look for:

• Any failing legitimate senders
• Unknown IPs sending as your domain
• Volume anomalies

Practitioner note: I run this exact checklist for every deliverability audit I do. It takes about an hour per domain. Most domains have 2-3 issues — usually an SPF lookup count problem, a missing DKIM configuration for one sender, and DMARC still at p=none.

Quarterly Reminder

Set a calendar reminder. Authentication configuration drifts over time as people add services, change providers, and forget to update DNS. A quarterly audit catches problems before they affect deliverability.

For a professional audit of your email authentication stack, schedule a consultation.

Sources

• RFC 7208: SPF
• RFC 6376: DKIM
• RFC 7489: DMARC
• RFC 8461: MTA-STS
• M3AAWG: Best Practices for Email Authentication

---

v1.0 · April 2026