How to check SPF/DKIM/DMARC are correctly set

It’s essential that you set up SPF, DKIM, and DMARC authentication methods for email. Together, they help prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain they do not own. After you configure these authentication methods for your domain, you should test that it’s set up without errors. In this article, you will learn how to check the SPF/DKIM/DMARC authentication methods are correctly set.

Table of contents

Configure SPF/DKIM/DMARC records

You must first configure all three SPF/DKIM/DMARC authentication methods for your domain. For Exchange Server on-premises and Exchange Online (Microsoft 365/Office 365), you need to follow the below articles:

Exchange Server on-premisesExchange Online
SPFSPF
DKIM*DKIM
DMARC*DMARC

*There is no official DKIM and DMARC support for Exchange Server, and we recommend integrating the SpamBull cloud spam filter to set up DKIM and DMARC for all outgoing messages. It’s an excellent third-party hygiene solution to implement in your infrastructure.

If you have another mail provider than Microsoft Exchange Server or Microsoft 365, you should check their KB articles and configure the records for every domain you own. The configuration steps are almost the same on every platform.

Check SPF/DKIM/DMARC authentication methods

Dmarcian and other online tools are great for filling in your domain and checking if the SPF, DKIM, and DMARC records are set up. But is it the ultimate test to check if SPF, DKIM, and DMARC are set up correctly? No, it’s not, and here is why:

Set both the DKIM and SPF records for your domain. After that, check the domain with Dmarcian. It will show that it’s set up correctly. But you have not added all the include mechanisms in your SPF. Also, the DKIM is disabled on your mail server.

How to check SPF DKIM DMARC are correctly set Dmarcian

So, both the records appear good in Dmarcian when you check it, but it will not pass both the SPF and DKIM checks when you send an email. Unfortunately, Dmarcian and all the online tools cannot check if it’s set up correctly. That’s because it looks only at the DNS records that are published.

The only way to test that SPF, DKIM, and DMARC are set up correctly is by sending an email and checking the message headers.

To simplify the process and go through the message header, you can send a test email to CheckTLS. The CheckTLS website lets you look at your outgoing email security. An email will arrive in your inbox that tells you if SPF, DKIM, and DMARC are set correctly or not. It is for people who want to check that their email is safe, secure, and compliant with all laws and regulations.

Check SPF/DKIM/DMARC with CheckTLS

The most straightforward way to confirm that SPF/DKIM/DMARC are set correctly is to follow the below steps:

  1. Go to CheckTLS
  2. Click Select Extra Items to Show
How to check SPF DKIM DMARC are correctly set CheckTLS
  1. Select SPF Info, DKIM Info, and DMARC Info
  2. Click on Start Listener
How to check SPF DKIM DMARC are correctly set CheckTLS extra items
  1. Copy the information below
How to check SPF DKIM DMARC are correctly set CheckTLS instructions
  1. Start Outlook, Outlook Web Access, or another mail client
  2. Fill in the information that you copied
  3. Send the email
Send email to CheckTLS
  1. An email will appear in your inbox

Note: It can take a couple of minutes before the email arrives.

  1. Open the email and verify the values for SPF/DKIM/DMARC:
  • DMARC_result: pass
  • DMARC_dkim: pass
  • DMARC_spf: pass
  • DMARC_published.p: reject
CheckTLS email report

Note: If the values are not set correctly, and you need to change your records in Public DNS, remember that it takes time when you add or edit records. So, wait a couple of hours before you do a test again with CheckTLS.

That’s it! You successfully checked that SPF/DKIM/DMARC records are set up correctly for your domain.

Read more: Save sent items in shared mailbox with PowerShell »

Conclusion

You learned how to check SPF/DKIM/DMARC are correctly set for your domain. The test works for every mail provider. It doesn’t matter if you have Microsoft 365 or another mail provider such as Google Workspace. What’s important is that you look carefully at the results and that the SPF, DKIM, and DMARC values are set up as they should.

Domains that have not set up SPF, DKIM, and DMARC correctly may find that their emails get quarantined as spam or are not delivered to their recipients. They are also in danger of having spammers impersonate them.

Did you enjoy this article? You may also like Export inactive users from Active Directory report. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *