What's the difference between a syntax validator and a record inspector?

A syntax validator analyzes a raw DNS record you paste, without DNS resolution. An inspector resolves the domain live from the Internet and displays the response as seen by mail servers.

In what order should I configure SPF, DKIM and DMARC?

Start with SPF to authorize your sending servers, then configure DKIM to sign your messages. Enable DMARC in p=none mode to observe, then gradually move to quarantine and reject.

Why are my emails going to spam despite valid SPF and DKIM?

Valid SPF and DKIM aren't always enough. Check DMARC alignment (SPF/DKIM domain must match From), your IP reputation, and use the email tester for a complete diagnosis.

What is the 10 DNS lookup limit for SPF?

Each include, a, mx, ptr and redirect mechanism triggers a DNS query. The SPF specification limits these queries to 10 per verification. Beyond that, SPF returns permerror and your emails may be rejected.

Is BIMI required for good deliverability?

No, BIMI doesn't affect deliverability. It's a visual identity layer that displays your logo in compatible webmail clients. It requires DMARC at quarantine or reject to function.

How do I know if my DKIM key is too short?

The DKIM inspector displays the public key length. 1024-bit keys are accepted but 2048 bits are recommended. 512-bit keys are considered weak and may be rejected.

What does strict vs relaxed alignment mean in DMARC?

Strict alignment requires an exact match between the From domain and SPF/DKIM domain. Relaxed alignment accepts subdomains. By default, DMARC uses relaxed for more flexibility.

What is MTA-STS and why do I need it?

MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for incoming email. It prevents man-in-the-middle attacks and downgrade attacks by telling sending servers to require TLS when connecting to your mail servers.

How does MTA-STS work with DMARC?

MTA-STS and DMARC are complementary. DMARC validates sender identity, while MTA-STS enforces transport encryption. Together they protect both the authenticity and confidentiality of your email.

SPF DKIM DMARC MTA-STS Tools - Validate Email Authentication

Syntax Checkers

SPF Syntax Validator

Check your SPF string before changes. Verify mechanism order, count DNS lookups and avoid exceeding limits.

DKIM Syntax Validator

Paste a raw DKIM record and verify each tag before publishing. Detect syntax errors, truncated keys and invalid options.

DMARC Syntax Validator

Validate p=, sp=, adkim=, aspf= tags and verify rua/ruf reporting addresses before publishing.

BIMI Syntax Validator

Verify Tiny-PS compliance for your SVG logo, HTTPS URL and VMC certificate presence.

MTA-STS Syntax Validator

Validate your MTA-STS DNS TXT record and policy file content offline. Check version, mode, MX patterns and max_age before deployment.

TLS-RPT syntax validator

Validate TLS-RPT TXT records offline before deployment.

Record Checkers

SPF Record Inspector

Resolve the domain and unfold the complete SPF chain. Spot where the 10 DNS lookup limit would be exceeded.

DKIM Record Inspector

Resolve a DKIM selector live from the Internet. View the public key, its length and detect rotation issues.

DMARC Record Inspector

Resolve _dmarc.domain, view the active policy and enforcement percentage. Verify before switching to reject.

BIMI Record Inspector

Resolve default._bimi.domain, download the logo and verify VMC before deploying your brand identity.

MTA-STS Record Inspector

Resolve MTA-STS records live. Fetch the policy file, verify TLS certificates and cross-check MX patterns with your mail servers.

TLS-RPT record checker

Check TLS-RPT configuration for any domain with external RUA verification.

DKIM Selector Finder

Auto-discover all DKIM selectors configured for any domain without knowing their names.

Record Generators

SPF Record Generator

Generate a valid SPF record for your domain with pre-configured email providers.

SPF Flattener

Flatten SPF records to eliminate nested includes and stay within the 10 DNS lookup limit.

DKIM Generator

Generate DKIM key pairs (RSA/Ed25519) and DNS TXT records.

DMARC Record Generator

Create a complete DMARC record with all options: policies, alignments, reports, percentages. Ready to publish.

MTA-STS Generator

Generate RFC 8461-compliant MTA-STS records and policy files. Configure mode, MX patterns and cache duration with step-by-step guidance.

TLS-RPT generator

Generate TLS-RPT DNS records with mailto and HTTPS reporting URIs.

BIMI Record Generator

Generate BIMI DNS records with logo URL and optional VMC certificate.

Deliverability Tools

Email Deliverability Audit

Analyze MX, SPF, DKIM and DMARC simultaneously. Identify deliverability blockers in seconds.

Email Tester

Send a test email and get a deliverability score out of 100. Complete diagnosis with recommended actions.

Email Header Analyzer

Paste raw headers from a received email. Identify the sender, verify SPF/DKIM/DMARC and trace the full routing.

IP Blacklist Checker

Check if your IP is on email blacklists

Domain Blacklist Checker

Check if your domain is on URI blacklists

Why email authentication is essential

Three building blocks that complement each other

SPF tells which servers have the right to send for your domain. The rule is published in a TXT record at the apex. Well configured, it limits spoofing. Too permissive, it lets abuse through.

DKIM signs your messages. The public key lives in a TXT under selector._domainkey. A valid signature proves the message hasn't been modified and indicates which domain signed it.

DMARC links the visible address to SPF and DKIM. If SPF or DKIM passes and aligns with the sender's domain, the message is considered compliant. The policy then decides the treatment on failure: observation, quarantine or rejection.

What a recipient server sees

Upon reception, the server reads your DNS records then adds an Authentication-Results header. You'll find spf=pass or fail, dkim=pass or fail, dmarc=pass or fail, with the evaluated domain. This header is your ground truth. It confirms the real effect of your settings, beyond theory.

What BIMI changes

BIMI is not a spam filter. It displays a validated logo when DMARC is in place with an enforced policy. The logo is requested via a dedicated DNS record and sometimes a VMC certificate. Result: the recipient better identifies your brand and spots a fake faster.

The most common errors

Two SPFs at the same name → Merge into a single value
SPF exceeding 10 lookups → Simplify the includes or use the SPF Flattener
Misspelled DKIM selector → The key becomes unfindable
Truncated public key → Verification fails silently
DMARC without alignment → Message passes but doesn't protect identity
DMARC reports to unmonitored mailbox → You lose observability

TTL and DNS propagation

The network doesn't "propagate" in the strict sense. It caches according to TTL. A short TTL helps during an update. A TTL that's too short over time overloads unnecessarily. A medium TTL (3600-86400s) stabilizes a validated setting. Reduce before a change, restore afterwards.

How to use the CaptainDNS toolbox

SPF, DKIM, DMARC syntax validators

Validators read your raw records and explain each element:

SPF: mechanism order, include, redirect, presence of all, DNS query counting, non-existent IPs and domains. The goal is to stay under 10 lookups and avoid loops.

DKIM: reading tags v, k, p, t, s. Key length verification, detection of truncation, invalid characters and key rotation best practices.

DMARC: reading tags v, p, sp, adkim, aspf, pct, rua, ruf. Verification of chosen alignment and report address validity.

Live record inspectors

Inspectors resolve DNS and display the response as seen from the Internet:

SPF Inspector: unfolds the include chain, shows called domains and where the limit would be exceeded
DKIM Inspector: resolves the selector, extracts the public key and checks format consistency
DMARC Inspector: reads _dmarc.domain, displays the active policy, rua/ruf addresses and enforcement percentage

These tools verify the present, not theory. Ideal for a support ticket or production deployment.

Email deliverability audit

This check analyzes MX, SPF, DKIM and DMARC simultaneously to answer a simple question: is the domain ready to send? It also points to the most likely cause of failure: SPF too permissive, missing DKIM key, unenforced DMARC policy, strict alignment breaking on a subdomain, MX pointing to a CNAME.

DMARC record generator

The generator helps you create complete, RFC-compliant DMARC records:

Domain configuration: simple input with automatic _dmarc hostname generation
Flexible policies: choose between none, quarantine and reject with subdomain handling
Integrated reporting: rua/ruf addresses with validation and implementation guidance
Advanced options: DKIM/SPF alignments, percentages, intervals and failure options

The tool generates the complete record ready to publish and guides to the inspector for post-deployment verification.

BIMI in production

The BIMI validator checks record structure, tests the HTTPS logo URL, verifies Tiny-PS constraints and downloads the VMC when provided. Combined with DMARC enforced at quarantine or reject, it secures your logo display in compatible webmail clients.

MTA-STS for transport security

MTA-STS (RFC 8461) adds a critical layer of protection by enforcing TLS encryption for incoming email. Without MTA-STS, opportunistic TLS can be downgraded by attackers. With MTA-STS, sending servers must use TLS or reject delivery.

MTA-STS tools

Syntax Validator: Paste your DNS TXT record and policy file content. The validator checks version, mode, MX patterns and max_age directives before you publish.

Record Inspector: Enter a domain to fetch the live MTA-STS record and policy file. Verifies TLS certificates and cross-checks MX patterns with actual mail servers.

Generator: Create compliant MTA-STS records and policy files. Configure testing or enforce mode, add MX patterns, set cache duration. Copy-ready output with deployment instructions.

Recommended MTA-STS deployment

Generate the DNS TXT record and policy file
Host the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Publish the DNS TXT record at _mta-sts.yourdomain.com
Start in testing mode to identify issues without breaking delivery
Switch to enforce once you've verified all MX servers support TLS
Monitor with TLS-RPT to receive failure reports

Recommended deployment method

Document initial state: DNS captures and Authentication-Results examples
Reduce TTL before changes (300-600s)
Deploy SPF clean and unique, verify with the inspector
Publish DKIM key on a new selector, test the signature
Enable DMARC at p=none, analyze reports, fix then enforce
Add BIMI when DMARC is enforced and logo/VMC pass validation
Restore comfortable TTL (3600-86400s) when stable

Monitoring and daily operations

Configurations evolve with providers, subdomains, microservices and one-off campaigns. Keep a simple cycle: regular checks, report reading, key rotation, cleanup of obsolete includes and selectors. A change should always leave a trace: date, author, previous value, new value, reason. This shortens each diagnosis.

Complementary tools

Tool	Purpose
DNS Propagation Checker	Confirm your DNS changes are visible worldwide
DNS Lookup	Query any DNS record type
IP Whois	Identify the owner of an IP address
IP Blacklist Checker	Check if your IP is blacklisted
Domain Blacklist Checker	Check if your domain is blacklisted

Useful resources

RFC 7208 - Sender Policy Framework (SPF) (official specification)
RFC 6376 - DomainKeys Identified Mail (DKIM) (official specification)
RFC 7489 - Domain-based Message Authentication (DMARC) (official specification)
Google - Email sender guidelines (Gmail requirements)
Microsoft - Email authentication in Microsoft 365 (Outlook/M365 guide)