Audit your sending domain's email authentication — check SPF, DKIM, and DMARC records using MXToolbox and document what's missing or misconfigured.
Use MXToolbox's all-in-one Email Health checker at mxtoolbox.com/emailhealth — it runs SPF, DKIM, DMARC, blacklist, and MX checks in a single report.
For DKIM, you need to know your ESP's selector name (e.g., Mailchimp uses k1, SendGrid uses s1 or s2) before you can query it.
If you don't control a live domain, use a free subdomain from a service like Vercel or Cloudflare to create and publish real DNS records for this exercise.
Domain: example.com
SPF: PASS — v=spf1 include:sendgrid.net include:mailchimp.com ~all
DKIM: PASS — selector: k1, algorithm: rsa-sha256, key length: 2048
DMARC: PASS — p=quarantine; rua=mailto:reports@example.com; adkim=r; aspf=r
Issues found:
- SPF had 11 DNS lookups (limit is 10) — removed redundant include:_spf.google.com
- DMARC was missing; new record published with p=quarantine
- DKIM selector was correct but key was 1024-bit; flagged for upgrade to 2048-bit
Set up a free DMARC aggregate report parser (e.g., dmarcian.com free tier) and interpret your first XML report — identify every source sending mail as your domain.
Configure a second DKIM selector for a backup ESP and verify both selectors resolve correctly in DNS.
Test your full authentication chain with Gmail's 'Show original' headers and confirm Authentication-Results shows SPF=pass, DKIM=pass, DMARC=pass on the same email.