Free Cold Email DNS Checker
Audit your domain's SPF, DKIM, and DMARC records in seconds. A missing or misconfigured record can send 50% of your cold emails to spam — this tool shows you exactly what to fix.
No signup. No email required. Built by engineers who set up cold email infrastructure for US B2B teams.
What This DNS Checker Audits
Four DNS records decide whether your cold emails reach the inbox or hit spam. This tool runs a live lookup on every one of them and reports exactly what is missing or misconfigured.
SPF (Sender Policy Framework)
Lists the servers allowed to send email from your domain. A missing or permissive SPF record lets spammers spoof your brand and tanks deliverability. Must end in -all, never ~all.
DKIM (DomainKeys Identified Mail)
Cryptographically signs every outbound email so receivers verify the message wasn't tampered with. Google's 2023 guidance requires 2048-bit keys. 1024-bit keys are flagged as weak and downweighted.
DMARC (Domain-based Authentication)
Tells receiving servers what to do when SPF or DKIM fail. Start at p=none for monitoring, graduate to p=quarantine, then p=reject. Gmail and Yahoo require it on any sender above 5,000 messages/day since February 2024.
MX (Mail Exchange)
Routes incoming mail to your mailbox provider. Misconfigured MX records cause replies to bounce — which is how you lose booked meetings after someone actually engaged with your cold email.
How to Use This Tool
- 1Enter your sending domain. Either the root domain (
yourdomain.com) or a full email address — the tool strips the @ prefix. - 2Pick your DKIM selector. Google Workspace uses
google, Microsoft 365 usesselector1. Pick "Custom" for other providers. - 3Read the health score. Anything above 80 is a passing grade. Below that, the report lists each broken record with its current value and the suggested fix.
- 4Apply the fixes at your registrar. The suggested values are copy-paste ready for Cloudflare, Namecheap, GoDaddy, or any DNS provider.
Common DNS Issues This Tool Catches
- ✗ SPF record missing entirely — the #1 reason cold emails go to spam on new domains.
- ✗ SPF with
~allsoft fail instead of-allhard fail. - ✗ Multiple SPF records on one domain — automatic authentication failure.
- ✗ SPF with too many nested lookups (hard limit is 10).
- ✗ DKIM key present but only 1024-bit instead of 2048-bit.
- ✗ DMARC stuck at
p=nonewithout a reporting address. - ✗ No DMARC record at all — disqualifies you from Gmail/Yahoo bulk sending since Feb 2024.
For the full technical breakdown, read our complete SPF, DKIM, and DMARC guide.
Frequently Asked Questions
Is this DNS checker free?→
Yes, completely free. No signup, no email required, no usage limits. We built it to audit client domains during cold email infrastructure builds, then opened it up publicly.
How do I find my DKIM selector?→
For Google Workspace, the selector is google. For Microsoft 365, it's selector1 (or selector2). If you're using a third-party sender like SendGrid or Mailgun, they provide the selector in their setup docs — paste it in the "Custom" field.
Why did my cold emails start going to spam?→
95% of the time it's a DNS issue — a broken SPF record, an expired DKIM key, or a DMARC policy that was misconfigured. The other 5% is a reputation issue from bulk sending before warmup. Run this tool first; if everything passes green, the problem is reputation, not authentication.
Does this tool check Google Workspace and Microsoft 365 domains?→
Yes — both platforms are first-class. Use the "Google" selector for Workspace and "Microsoft" for Microsoft 365. If you run a hybrid setup (some domains on each), run the audit twice with different selectors.
What score should I aim for?→
Target 90+. Above 80 is passing but has room to improve. Below 80 means at least one authentication record is missing or wrong — your cold emails are leaking to spam. The report tells you exactly which record to fix.
Do I need to re-check after fixing my DNS?→
Yes, but wait 15–60 minutes after making changes for DNS propagation. Some records (especially DMARC) can take up to 48 hours to fully propagate across global resolvers. Re-run the check until you see green across the board.