DNSPROBLEM.com

DNS Problem Checker

Email Authentication

DNS terms related to SPF, DKIM, DMARC, and email authentication records.

SPF

SPF, or Sender Policy Framework, is an email authentication mechanism published as a TXT record. It lists which servers are allowed to send email for a domain. To check an SPF record, use spfproblem.com.

DKIM

DKIM, or DomainKeys Identified Mail, uses cryptographic signatures to show that an email was authorised by the sending domain and was not changed in transit. To check a DKIM record, use dkimproblem.com.

DMARC

DMARC builds on SPF and DKIM. It lets a domain publish policy and reporting instructions for mail that fails authentication or alignment checks. To check a DMARC record, use dmarcproblem.com.

Forward Confirmed Reverse DNS

Forward confirmed reverse DNS means an IP address has a PTR record pointing to a hostname, and that hostname also resolves back to the same IP address. It is often relevant for mail server reputation checks.

Alignment

Alignment is a DMARC concept. It checks whether the domain authenticated by SPF or DKIM matches, or is closely related to, the visible From domain in the email message.

A message can pass SPF or DKIM technically but still fail DMARC if the authenticated domain does not align with the domain the recipient sees in the From address.

BIMI

BIMI, or Brand Indicators for Message Identification, lets a domain publish brand logo information in DNS. Mailbox providers that support BIMI may show the logo when the domain also has suitable email authentication in place.

BIMI is normally published as a TXT record, often at a name such as default._bimi.example.com.

MTA-STS

MTA-STS, or Mail Transfer Agent Strict Transport Security, lets a domain tell sending mail servers that inbound email should be delivered using TLS to approved MX hosts.

MTA-STS uses a DNS TXT record at _mta-sts.example.com and a policy file served over HTTPS. It helps reduce the risk of downgrade or interception attacks against mail delivery.

TLS-RPT

TLS-RPT is SMTP TLS Reporting. It lets a domain request reports about mail delivery TLS problems, including failures related to MTA-STS.

TLS-RPT is published as a DNS TXT record at _smtp._tls.example.com, usually with a reporting address where aggregate reports should be sent.