Type a domain. See the verdict.
Live DNS lookups over DNS-over-HTTPS (Cloudflare 1.1.1.1), parsed in your browser. We probe the common DKIM selectors for Google Workspace, Microsoft 365, SendGrid, SES, Mailgun, Postmark, Mailchimp — and validate BIMI assets when they're present. The same checks a Solution Architect runs by hand — but instant, and free.
Every lookup runs directly from your browser against Cloudflare's public DNS-over-HTTPS endpoint. We don't store the domain, we don't log the result. Deep VMC certificate validation (EKU, LogotypeExtension, hash binding) requires our CLI / backend — linked below in Sources.
Enter a domain or pick one of the presets to start the audit.
Four protocols. Four ways to fail silently.
Each protocol exists because the previous one wasn't enough. SMTP from 1981 trusts anyone. SPF added a guest list. DKIM added a signature. DMARC added enforcement. BIMI added a face. Skip any one of them and the chain breaks — without bouncing.
SPF — the guest list at the door
An owner-controlled TXT record at the apex domain that lists every IP allowed to send mail as you. Receivers check: does the sending IP appear here? If not — spoofed. The catch: SPF allows at most 10 DNS lookups during evaluation. Once you exceed that, it silently treats the record as if it didn't exist.
DKIM — the wax seal on the envelope
The sending server signs each message with a private key. The matching public key lives at
DMARC — the boss of all bosses
If SPF and DKIM both fail — DMARC decides what happens. p=none just reports. p=quarantine ships failing mail to spam. p=reject drops it at the SMTP layer. Add rua= to get aggregate XML reports of every server trying to send as you — that's how you discover ongoing spoofing.
BIMI — the brand logo in the inbox
With DMARC enforcing, you can publish a BIMI record pointing at an SVG Tiny PS logo and a VMC certificate. Gmail, Yahoo, Apple Mail, Fastmail render that logo next to your name. Most setups silently fail on one of three things: the SVG isn't Tiny PS, the certificate isn't from a recognized CA, or the logo hash in the cert doesn't match the SVG byte-for-byte.
The protocols, straight from the source.
Every check this widget runs maps to a public RFC, a CA-published spec, or a major mailbox provider's published requirements. Click through and read.
One audit. Two ways to fix it.
Once the widget tells you which layer is broken, you have a choice. Run the same audit yourself — as a Claude Code skill from the pirxey/skills set, step by step, in your terminal. Or hand it to us and we'll fix it across every sending domain, vendor, and ESP you run.
The same audit, as a Claude Code skill.
The exact logic that powers this page — DKIM selector probing, BIMI SVG Tiny PS conformance, full VMC certificate chain validation — lives as a step-by-step skill inside the pirxey/skills set. Install once, then ask Claude to audit any domain and walk you through each fix.
npx skills add https://github.com/pirxey/skills --skill email-auth-auditOr let Pirxey do it for you.
Running multiple domains? Mixing Google Workspace, SendGrid, Mailchimp, and a transactional vendor? About to enforce p=reject without breaking marketing? We audit, fix, and monitor every layer for you — SPF flattening, DKIM rotation, DMARC enforcement rollout, BIMI publication with VMC procurement.