New Playbook: Cold Email Infrastructure Setup Guide

Read Now arrow_forward
Mailsfinder Mailsfinder
Mailsfinder Mailsfinder
Pricing
Compare
Contact
Log In Start Free Trial
Free Tool, No Signup

Free domain deliverability checker: MX, SPF, DMARC, DKIM in one click

Paste a domain. Get a 0-100 deliverability score, full breakdown of MX, SPF, DMARC and DKIM, a list of issues, and a fix plan. 30 free checks per day, no signup.

Try it

shield Paste a domain like stripe.com to check MX, SPF, DMARC and DKIM.

What is email authentication

Email authentication is the set of DNS-level records that tell receiving mail servers whether an email actually came from your domain or from a spoofer. Without it, Gmail, Outlook and Yahoo cannot tell the difference between you and a phisher using your domain, so your mail lands in spam or fails outright.

Four records do the work. MX tells receivers where to deliver inbound mail. SPF lists the IPs allowed to send outbound mail on your behalf. DKIM cryptographically signs each message so the receiver can verify nothing was tampered with in flight. DMARC ties SPF and DKIM together, tells receivers what to do when a message fails, and gives you reports so you can see who is sending as your domain.

Since February 2024, Gmail and Yahoo have required SPF, DKIM and DMARC for any sender pushing more than 5,000 messages per day. Skip them and your reply rate craters because nothing reaches the inbox. Set them up correctly once and deliverability becomes a stable baseline you can build campaigns on top of.

What each record does

dns

MX

Mail exchange records point at the servers that accept inbound mail for your domain. No MX means the domain cannot receive replies, so cold outreach is one-way and broken. Most providers publish two or three MX hosts with different priorities for failover.

verified_user

SPF

Sender Policy Framework lists every server allowed to send mail on behalf of your domain. A correct SPF ends in ~all (soft fail) or -all (hard fail). The 10 DNS lookup limit kills SPF for senders with too many includes, so keep it lean.

key

DKIM

DomainKeys Identified Mail signs every outbound message with a private key, and publishes the public key in DNS under a selector. Receivers verify the signature so they know nothing was changed in transit and that the message really came from your sending infrastructure.

policy

DMARC

Domain-based Message Authentication, Reporting and Conformance is the policy layer. It tells receivers what to do when SPF or DKIM fails (none, quarantine, reject), and gives you aggregate reports via the rua tag so you can spot spoofers and misconfigurations.

Why deliverability matters

2%

Bounce rate threshold that flags your sending domain. Cross it, and provider reputation drops within a single sending session.

30 days

Typical recovery window once a domain has been flagged. During those 30 days, you are sending into spam and burning through pipeline.

99%

Inbox placement rate to aim for with verified lists, full authentication, and warmed sending IPs. Anything lower is leaving replies on the table.

How to fix common issues

Missing SPF

Add a TXT record at the root of your domain. For Google Workspace, start with v=spf1 include:_spf.google.com ~all. For Microsoft 365, use v=spf1 include:spf.protection.outlook.com -all. Add includes for every other sender (sequencer, transactional, support tool) and keep the total under 10 DNS lookups.

Missing or weak DMARC

Publish a TXT record at _dmarc.yourdomain.com. Start with v=DMARC1; p=none; rua=mailto:reports@yourdomain.com to gather aggregate reports for 4 weeks. After reviewing, move to p=quarantine, then p=reject once nothing legitimate is failing.

Missing DKIM

Enable DKIM signing in your email provider's admin console (Google Workspace, Microsoft 365, AWS SES, Mailgun, etc.). The provider gives you a selector record (often a CNAME or TXT) to add at selector._domainkey.yourdomain.com. Wait for DNS to propagate, then test by sending yourself a message and checking the headers.

SPF too permissive

If your SPF ends in ?all or +all, anyone can pass SPF as you. Audit every legitimate sending source, list them in includes or ip4 entries, then tighten the policy to ~all or -all.

Pricing

Free

$0

100 verified lookups per day, forever. No card.

Monthly

$9.99/mo

300,000 credits per cycle.

Lifetime

$249 once

2,000,000 credits, lifetime pool.

Frequently asked questions

Does the checker actually query DNS or just guess? expand_more
Real DNS lookups. The backend uses PHP's dns_get_record to pull MX, TXT (SPF, DMARC) and DKIM selector records directly from your authoritative nameservers. Nothing is cached for more than a few seconds, so a record you add now will show up almost immediately.
Why might DKIM show as missing when I know I set it up? expand_more
DKIM uses a selector, a short label chosen by your provider. The checker probes the most common public selectors (default, google, selector1, selector2, k1, s1, dkim) but it cannot guess a custom selector. If your provider uses something unique, DKIM may still be configured correctly even when the checker shows no selectors found. Send yourself a test message and inspect the headers to confirm.
What is a good deliverability score? expand_more
80 or above is Strong, meaning MX, SPF, DMARC and DKIM are all present and the SPF and DMARC policies are not permissive. 60 to 79 is Acceptable, usually missing one record or running DMARC at p=none. Anything under 60 means at least two of the four pillars are missing, and you should fix before sending real volume.
Does a high score guarantee inbox placement? expand_more
No. A high score means the authentication scaffolding is in place, which is the floor. Actual inbox placement also depends on sender reputation, content, engagement, list hygiene (verified versus catch-all addresses), warm-up history, and complaint rate. Authentication is necessary but not sufficient.
Can I check competitor or prospect domains? expand_more
Yes. DNS is public, so any domain can be checked. The Mailsfinder verifier goes a layer deeper, flagging catch-all domains and risky addresses on a per-mailbox basis, which is what you actually need when prospecting at scale.

Authentication checked, now verify the list

Mailsfinder verifies every address against the deliverability of the receiving domain. 100 free credits per day, no card.

Get 100 free credits/day Talk to Sales