Skip to main content
Log in
CaptainDNS

Email Diagnostics

Tools to verify and validate your email authentication setup.

SPF
DKIM
DMARC
DMARCbis
BIMI
MTA-STS
TLS-RPT
DANE / TLSA

Deliverability

Email deliverability auditMail header analyzerEmail testerIP Blacklist CheckerDomain Blacklist CheckerSPF FlattenerDKIM Selector FinderSMTP/MX Tester

Secure & Monitor

Record generators, policy hosting and continuous monitoring.

Network & Web

Network tools, web page analysis and certificates.

IP Tools

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

IPv6 subnet calculator

Calculate IPv6 subnets, address ranges and reverse DNS entries.

Certificates & BIMI

BIMI logo lookup

Inspect a BIMI logo URL - format, metadata and live rendering - before rollout.

BIMI SVG converter

Convert any SVG to BIMI-compliant Tiny-PS format in seconds.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate - issuer, validity and SAN coverage - before you publish BIMI.

Web

Page size checker

Check if your page exceeds Google's 2 MB crawl limit.

Phishing URL Checker

Check if a URL is flagged as phishing or malware by 4 threat intelligence sources.

Redirect Checker

Analyze HTTP redirect chains

Domain Redirect

Redirect your domains with automatic HTTPS and 301/302 redirects.

Developer Tools

Text utilities and tools for everyday dev work.

Text

Transform and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Password generator

Generate strong random passwords and memorable passphrases instantly.

Developer

Encoding, hashing, regex and formatting for everyday dev work.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Hash Generator

Compute MD5, SHA-1, SHA-256 and SHA-512 hashes of any text.

URL encoder / decoder

Encode or decode text using percent-encoding (RFC 3986) right in your browser.

Regex Tester

Test a regular expression against text and visualize matches.

JSON / YAML Formatter

Format, validate and convert JSON and YAML in one click.

Test your domain's email deliverability

Free DMARC checker, SPF lookup & DKIM validator in one click

Why are your emails going to spam? This free email deliverability test acts as a DMARC checker, SPF lookup, and DKIM validator all in one. Check your domain's inbox placement and get a score out of 100 with priority fixes in seconds.

Deliverability score out of 100

Overall score based on 3 pillars: sending (SPF, DKIM, DMARC, BIMI), receiving (MX, MTA-STS, DANE, TLS-RPT), and DNS security (DNSSEC).

Error and warning diagnostics

Every issue is detected and explained: too many SPF lookups, missing DKIM selector, permissive DMARC policy. Corrective actions included.

Multi-platform support

Test multiple DKIM selectors simultaneously. Ideal if you send through Mailchimp, Brevo, Google Workspace, or other ESPs.

Export and share report

Download the JSON report for your technical team or DNS provider. Priority fixes are highlighted.

RFC standards compliant

Compliance with RFC 7208 (SPF), 6376 (DKIM), 7489 (DMARC), 8461 (MTA-STS), 8460 (TLS-RPT), 6698 (DANE), and Google/Microsoft recommendations.

Why are emails going to spam? Run a deliverability audit

Every email sent goes through a series of DNS checks before reaching the inbox. If a single record is missing or misconfigured, your messages may land in spam - or be silently rejected by recipient servers. This is why you need an email spam test before sending campaigns.

This online email deliverability test (also called "DMARC checker", "SPF lookup tool", "DKIM validator", "domain health check", or "inbox placement test") lets you check your domain email configuration and identify errors to fix to improve your deliverability. The audit analyzes 8 protocols organized into 3 pillars:

Sending (outbound):

ProtocolRoleImpact if missing or invalid
SPFAuthorizes servers to send on your domain's behalfRisk of rejection or spam classification
DKIMCryptographically signs your messagesWeak authentication, spoofing risk
DMARCDefines policy when SPF/DKIM failsNo protection against impersonation
BIMIDisplays your logo in inboxesOptional, enhances visual trust

Receiving (inbound):

ProtocolRoleImpact if missing or invalid
MXIndicates where to receive emailsDomain considered not intended for email
MTA-STSEnforces TLS encryption for inbound emailEmails transmitted in cleartext, vulnerable to interception
DANEAuthenticates MX TLS certificates via DNSSECNo cryptographic verification of mail server
TLS-RPTReceives TLS failure reportsNo visibility into encryption issues

Three main use cases:

  • Before an email campaign → Validate that your domain is ready to send
  • After deliverability issues → Identify which configuration is failing
  • After a platform change → Verify that new DKIM selectors are published

How to use the deliverability audit in 3 steps

Step 1: Enter your domain

Type your sending domain (captaindns.com). If you send through multiple platforms (Mailchimp, Brevo, Google Workspace), add the corresponding DKIM selectors for a complete check.

Where to find your DKIM selectors:

  • Mailchimp: k1 (settings → domain → authentication)
  • Brevo: mail (settings → senders → DKIM)
  • Google Workspace: google (Admin Console → Apps → Gmail → Authentication)
  • Microsoft 365: selector1, selector2 (Admin → Domains → DNS records)

Step 2: Run the analysis

The tool automatically queries your DNS records:

Sending:

  • SPF: Syntax, 10 lookup limit, -all mechanism
  • DKIM: Valid selectors, key ≥2048 bits
  • DMARC: Policy, reports configured
  • BIMI: Valid record, accessible logo

Receiving:

  • MX: Presence, resolution, redundancy
  • MTA-STS: DNS record, HTTPS policy, enforce/testing mode
  • DANE: TLSA records per MX, DNSSEC validation
  • TLS-RPT: Valid record, report destinations configured

Step 3: Review the results

You get:

  • Overall score out of 100 with deliverability badge (Excellent, Good, Fair, Poor)
  • Protocol-by-protocol diagnostics with pass/fail status
  • Corrective actions ranked by priority
  • JSON export to share with your technical team

How does the deliverability score work?

The overall score out of 100 is calculated from 3 weighted pillars:

PillarWeightComponents
Sending (outbound)50%SPF, DKIM, DMARC, BIMI
Receiving (inbound)35%MX, MTA-STS, DANE, TLS-RPT
DNS security15%DNSSEC

Each pillar is scored out of 100 points, then weighted accordingly. The result gives an overall score and grade:

  • Excellent (90-100%): All protocols are correctly configured
  • Good (75-89%): Solid configuration with some optimizations possible
  • Fair (55-74%): Errors or warnings impacting deliverability
  • Poor (<55%): Major blockers, sending compromised

Points breakdown by pillar

Sending (100 points):

ComponentMax pointsMain criteria
DMARC40p=reject policy, rua/ruf reports, strict alignment
SPF30Valid syntax, 10 lookup limit, -all mechanism
DKIM25Valid selectors, key ≥2048 bits, redundancy
BIMI5Valid record, SVG Tiny PS logo, VMC present

Receiving (100 points):

ComponentMax pointsMain criteria
MX40Presence, resolution, redundancy (2+ MX)
MTA-STS30Valid DNS, HTTPS policy, enforce mode
DANE15TLSA records published, DNSSEC signed
TLS-RPT15Valid record, RUA destinations configured

DNS security (100 points):

ComponentMax pointsMain criteria
DNSSEC100Zone signed and chain validated

Common errors detected by the audit

SPF: too many DNS lookups (permerror)

SPF is limited to 10 DNS lookups. Beyond that, resolvers return permerror and ignore your policy. The audit counts your lookups and flags overages.

Symptom: Low SPF score despite having a record

Diagnosis:

  • Number of lookups = 12 ❌
  • Nested include: detected

Action: Replace include: directives with direct IP ranges or use our SPF Flattener to automatically flatten your record.

DKIM: selector not found

Each sending platform uses a different DKIM selector. If the selector isn't published in your DNS, DKIM signing fails consistently.

Symptom: DKIM fails even though you configured it

Diagnosis:

  • Selector k1._domainkey.yourdomain.com = ❌ NXDOMAIN
  • Key not found

Action: Get the correct selector from your ESP and publish the corresponding TXT record.

DMARC: policy too permissive

A p=none policy offers no protection against impersonation. Email providers won't block unauthenticated emails.

Symptom: DMARC present but no active protection

Diagnosis:

  • Policy = p=none ⚠️
  • Reports = not configured

Action: Gradually move to p=quarantine then p=reject while monitoring DMARC reports (rua).

MX: missing or invalid record

Without an MX record, your domain cannot receive emails. Some filters also consider a domain without MX as not legitimate for sending.

Symptom: MX score at 0

Diagnosis:

  • MX = ❌ No record found

Action: Publish at least one valid MX, or a null MX (0 .) if the domain isn't meant to receive emails.

How to improve your domain's email deliverability?

Here are priority actions to improve your deliverability, ranked by impact:

Sending:

PriorityActionImpact
1. CriticalConfigure SPF with -all and stay under 10 lookupsAvoids server rejection
2. HighPublish DKIM with ≥2048 bit key for each ESPAuthentic email signature
3. HighMove DMARC to p=quarantine then p=rejectProtection against spoofing
4. MediumConfigure DMARC reports (rua) via DMARC MonitoringFailure monitoring
5. OptionalAdd BIMI with certified logoEnhances visual trust

Receiving:

PriorityActionImpact
1. HighPublish at least 2 MX records for redundancyGuarantees reception even if one server is down
2. MediumDeploy MTA-STS in enforce modeForces TLS encryption for inbound email
3. LowPublish a TLS-RPT recordReceive TLS connection failure reports
4. LowAdd DANE/TLSA records (if DNSSEC is active)Cryptographic authentication of MX certificates

Tip: Use this tool regularly (before each campaign, after ESP changes) to detect issues before they impact your sends.

Real-world use cases

Issue 1: Marketing campaign with 80% in spam

Symptom: You send a newsletter via Mailchimp, but most of it lands in spam.

Audit diagnosis:

  • MX = ✅ Pass
  • SPF = ❌ Fail → 14 lookups (limit exceeded)
  • DKIM = ❌ Fail → Selector k1 not found
  • DMARC = ⚠️ p=none

Priority actions:

  1. Flatten SPF to get under 10 lookups
  2. Publish Mailchimp's DKIM CNAME
  3. Move DMARC to p=quarantine

Issue 2: B2B emails rejected by Microsoft 365

Symptom: Your business emails are rejected by clients using Outlook/Microsoft 365.

Audit diagnosis:

  • SPF = ✅ Pass
  • DKIM = ✅ Pass
  • DMARC = ❌ Fail → Policy p=reject but alignment failed

Priority actions:

  1. Verify that the From domain matches the DKIM domain (strict alignment)
  2. Configure aspf=r and adkim=r for relaxed alignment

Issue 3: Migration to Google Workspace

Symptom: After migrating to Google Workspace, emails land in spam.

Audit diagnosis:

  • SPF = ⚠️ Warning → include:_spf.google.com missing
  • DKIM = ❌ Fail → Selector google not published

Priority actions:

  1. Add include:_spf.google.com to SPF
  2. Generate and publish DKIM key from Admin Console

FAQ - Frequently asked questions

Q: What exactly does the deliverability audit check?

A: The audit analyzes 8 protocols organized into 3 pillars:

Sending: SPF (authorized servers), DKIM (cryptographic signature), DMARC (authentication policy), BIMI (brand logo)

Receiving: MX (receiving servers), MTA-STS (forced TLS encryption), DANE (certificate authentication via DNSSEC), TLS-RPT (TLS failure reports)

DNS security: DNSSEC (DNS zone signing)

Q: How does the deliverability score work?

A: The score out of 100 combines 3 weighted pillars:

  • Sending (50%): SPF (30 pts), DKIM (25 pts), DMARC (40 pts), BIMI (5 pts)
  • Receiving (35%): MX (40 pts), MTA-STS (30 pts), DANE (15 pts), TLS-RPT (15 pts)
  • DNS security (15%): DNSSEC (100 pts)

Each pillar is scored out of 100, then weighted. A score above 90% indicates optimal configuration.

Q: Why does my SPF show "too many lookups"?

A: SPF is limited to 10 DNS lookups (RFC 7208). Each include:, a:, mx:, or redirect= counts as a lookup. If you use multiple ESPs (Mailchimp + Brevo + Google), you can easily exceed this limit.

Solution: Use our SPF Flattener to resolve includes into direct IPs.

Q: How do I add a DKIM selector?

A: Each ESP uses a different selector:

  • Mailchimp: k1
  • Brevo: mail
  • Google Workspace: google
  • Microsoft 365: selector1, selector2

Add the selector to the audit form to verify it's correctly published.

Q: What DMARC policy should I use?

A: Recommended progression:

  1. p=none: Monitor without action (start)
  2. p=quarantine: Send suspicious emails to spam
  3. p=reject: Reject unauthenticated emails (maximum protection)

Always configure reports (rua) to track authentication failures.

Q: Is the audit free?

A: Yes, the deliverability audit is 100% free with no registration required. Enter your domain and get results immediately.

Q: Is my data stored?

A: The audit only queries your domain's public DNS records. This information is accessible to anyone via standard DNS queries. We don't store your data.

Complementary tools

ToolPurpose
Email Header AnalyzerCheck SPF/DKIM/DMARC verdicts on a received email
SPF InspectorAnalyze your SPF record in detail
SPF FlattenerFlatten your SPF to stay under the 10 DNS lookup limit
DKIM InspectorValidate your DKIM keys selector by selector
DMARC InspectorBreak down and test your DMARC policy
DNS Propagation CheckerConfirm your DNS records are propagated globally
IP Blacklist CheckerCheck if your IP is blacklisted
Domain Blacklist CheckerCheck if your domain is blacklisted
DMARC MonitoringCollect and visualize DMARC aggregate reports for your domains
TLS-RPT Report AnalyzerAnalyze TLS-RPT reports received by email

Useful resources