Email Authentication Checker

Description of the control

Use this control to run SPF, DMARC, and DKIM DNS validations directly from the site. It is intended to help administrators review published email authentication records for a domain, optionally compare behavior for a subdomain, and interpret the resulting posture output from the SPF / DMARC / DKIM overview panel.

Procedure

1. Open Posture Management.
2. Select Email & DNS Security.
3. In the Email Authentication Checker card, enter the domain you want to review in Domain.
4. If needed, enter a value in Check subdomain (optional) to test a specific subdomain.
5. In DKIM selectors (comma-separated), keep the default selector list or replace it with the selectors used by the domain’s actual sending services.
6. Review the help text that notes selectors default to common values and that DNS lookups are cached for 10 minutes.
7. Select Run Checks.
8. After the check completes, review the Last DNS Auth Results card.
9. If the output appears stale after DNS changes, select Clear Cache and run the check again.

Validation

Confirm that the Last DNS Auth Results section updates for the tested target and shows the expected domain or subdomain. Verify that the submitted selectors are reflected in the DKIM details and that the displayed SPF, DMARC, and DKIM results correspond to the records currently published in DNS.

Reading the output

The SPF / DMARC / DKIM overview table gives a quick summary for each record type using the columns Record, Result, Findings, and Syntax. Use this table first to determine whether each record passed, failed, or needs additional review before opening the detail sections.

In the example output, SPF shows Pass, 7 lookups, and Valid syntax. This indicates that an SPF TXT record was found and parsed successfully, and that the checker estimated seven DNS lookups for the published SPF policy.

For DMARC, the summary shows Pass, p=reject, and Valid syntax. This means a DMARC record is present, the syntax is valid, and the effective policy shown in the findings column is reject.

For DKIM, the summary shows Fail, 0/1 selectors found, and Not Found. This means the checker looked for the submitted selector or selectors and did not find a matching DKIM TXT record for the tested target.

Interpreting details

Open Show Details to review the expanded evidence for each record type. The detail tables provide the exact Record TXT value when found, along with Mechanism notes or per-selector findings that explain why a result passed or failed.

In SPF Details, review Syntax, Record TXT, and Mechanism notes together. For example, Soft fail (~all) means the domain publishes a soft-fail qualifier, 1 include mechanism shows that the record references one included policy, and 7 estimated DNS lookups helps indicate how complex the SPF evaluation path is.

In DMARC Details, review the Record TXT and Mechanism notes to understand the published enforcement and reporting posture. In the sample output, Policy p=reject indicates a rejecting DMARC policy, Alignment DKIM=R, SPF=R shows relaxed alignment, and Reporting not configured means aggregate or forensic reporting addresses are not present in the record.

In DKIM Details, each selector is listed separately with Selector, Status, Syntax, Record, and Finding. A selector row showing Fail, Not found, and No DKIM TXT record detected means that specific selector did not resolve to a DKIM TXT record for the tested domain.

Practical interpretation guidance

Use Pass in the summary table to confirm that a record exists and was parsed successfully, then use the detail tables to understand the exact published values. Use Fail or Not Found as a sign to verify whether the record is actually missing, whether the wrong selector was tested, or whether the lookup was performed before DNS changes had propagated.

When DKIM results look incomplete, first confirm that the correct selectors were entered for the mail platform in use. When SPF or DMARC syntax is valid but the mechanism notes show softer or less complete settings, use the detail text to decide whether the record is acceptable for the site’s operational requirements.