Skip to content
OutboundQA

Free tool

SPF DKIM DMARC checker for cold email

Run the three core authentication checks together before a cold email campaign goes live: SPF, DKIM, and DMARC.

This checks SPF, DKIM, and DMARC for one domain. For a real launch verdict, run every domain, inbox, and tracking domain through the full QA pass.

Runs live in your browser via public DNS. Nothing is stored.

How to read the authentication result

A launch-ready sending domain needs one valid SPF record, a DKIM key for the selector your sending platform uses, and a DMARC record at _dmarc.yourdomain.com. This checker runs all three lookups together so you can spot missing records before an outbound campaign starts.

Treat warnings as launch risk, not trivia. A p=none DMARC policy may be acceptable during setup, and a DKIM CNAME can be valid, but both need a deliberate review before you send volume.

Where this fits in cold email QA

SPF, DKIM, and DMARC prove the domain is authenticated. They do not prove the inbox can receive replies, the tracking domain has valid SSL, the domain is clear of blacklists, or the full workspace is ready to launch.

For a single domain, use this as the authentication checkpoint. For a real launch, run the full OutboundQA pass across every sending domain, inbox, and tracking domain so the team has a verdict and a shareable report.

What this check does not catch

A passing SPF, DKIM, and DMARC lookup is useful, but it is not launch signoff. Cold email campaigns still fail when adjacent records, tracking domains, or inbox-level settings are broken.

MX readiness
tracking-domain SSL
blacklist status
domain age
inbox-level setup
Google and Yahoo sender requirements

Setup guides for this check

Read the setup notes behind this result, then verify the neighboring records before launch.

Need to check a full outbound workspace?

OutboundQA checks every domain, inbox, and tracking domain in the workspace, then gives you a shareable report with a Ready, Needs Fix, or Do Not Launch verdict.

Questions

It checks the three authentication records receivers use to decide whether mail is allowed, signed, and covered by a domain policy. SPF lists approved senders, DKIM verifies the message signature, and DMARC tells receivers what to do when authentication fails.

DKIM records are published under a selector, such as google, selector1, s1, or a provider-specific value. The selector has to match the platform that will send the campaign, so a real DKIM check needs both the domain and selector.

No. Passing authentication is necessary, but it is not full launch signoff. A full check also covers MX, tracking-domain SSL, blacklist status, domain age, inbox setup, and Google/Yahoo sender requirements across the workspace.