What is an SPF record and how do I check it?

An SPF record is a DNS TXT record that specifies which mail servers are authorised to send email for your domain. Use the Email Domain Checker above to check your SPF record instantly.

How do I check my DMARC record?

DMARC records are stored at _dmarc.yourdomain.com. Use the DMARC Policy Explainer above to look up your record and get a plain-English explanation of your policy strength.

How do I analyse email headers to check for phishing?

In Outlook: open the email, go to File then Properties, copy the Internet Headers. In Gmail: open the email, click the three dots and select Show Original. Paste the headers into the Email Header Analyser above.

Free Email Security Tools for IT Administrators and MSPs

Five free tools for checking and diagnosing email security configuration. Check SPF, DMARC and DKIM records for any domain, analyse email headers to detect phishing, validate SPF record lookup limits, understand DMARC policies in plain English, and identify what email provider any domain is using.

No login required. All results are generated in your browser using the Cloudflare public DNS resolver. Built for IT administrators, MSPs, and security teams managing Microsoft 365 environments.

Free Email Security Tools - SPF, DMARC, DKIM Checker | Sabiki

Free tools — no login required

Free Email Security Tools for Administrators and MSPs

Check SPF, DMARC and DKIM records, analyse email headers, validate SPF lookup limits, explain DMARC policies, check domain blacklists, and identify email providers. All free, all instant, nothing stored.

Use these tools to audit email authentication for any domain, investigate phishing emails, diagnose SPF failures, understand DMARC policies, check if a domain is blacklisted, and identify what email platform a domain is running on. Built for IT administrators, MSPs, and security teams. No account needed — results are generated entirely in your browser.

Email Domain Checker

Check SPF, DKIM and DMARC for any domain with a security score

Email Header Analyser

Paste raw headers to detect phishing indicators and auth failures

SPF Record Flattener

Resolve SPF include chains and validate the 10 DNS lookup limit

DMARC Policy Explainer

Understand your DMARC record in plain English with a strength score

MX Record Lookup

Look up MX records and identify the email provider automatically

Blacklist Checker

Check if your domain is listed on major email blacklists

Domain Checker

Header Analyser

SPF Flattener

DMARC Explainer

MX Lookup

Blacklist Check

Email Domain Checker

Check SPF, DKIM and DMARC records for any domain. Tests 25+ common DKIM selectors automatically and gives an overall email security score.

Link copied!

About this tool

What does an email domain security check test?

This tool checks SPF (which servers can send email for your domain), DKIM (cryptographic signature verifying email integrity), and DMARC (policy for handling emails that fail authentication). Together these protect your domain from spoofing and phishing.

Why can I not see my DKIM record?

DKIM records live at a selector-specific subdomain. This tool tests 25+ common selectors automatically. If your domain uses a custom selector it may not be found — contact your email provider for the correct selector name.

Want full email security for your M365 tenants?

Try Sabiki free

Email Header Analyser

Paste raw email headers to visualise the delivery path, authentication results, and detect phishing indicators like mismatched Reply-To addresses and SPF failures.

About this tool

How do I get email headers in Outlook?

Open the email, click File, then Properties. The Internet Headers box contains the full raw headers. Select all, copy, and paste above.

How do I get email headers in Gmail?

Open the email, click the three-dot menu, and select Show original. Copy all the text and paste above.

What phishing indicators does this tool detect?

Mismatched Reply-To addresses, Return-Path domain mismatches, SPF failures, DKIM signature failures, DMARC failures, missing DKIM signatures, and suspicious originating IPs.

Investigating phishing across multiple tenants?

See Sabiki Email Security

SPF Record Flattener and Validator

Fetch and validate an SPF record. Recursively resolves all include: chains, counts DNS lookups against the 10-lookup limit, and lists all permitted IP ranges.

Link copied!

About this tool

What is the SPF 10 DNS lookup limit?

SPF records can trigger a maximum of 10 DNS lookups during evaluation. Exceeding this causes a permerror which can result in legitimate emails being rejected.

What does flattening an SPF record mean?

Flattening replaces all include: directives with the underlying IP addresses so the SPF record resolves in a single DNS lookup, keeping you within the 10-lookup limit.

Secure your clients M365 identities automatically.

See Tenant Shield

DMARC Policy Explainer

Look up a DMARC record and get a plain-English explanation of every tag, what the policy does, what happens to failing emails, and a policy strength score.

Link copied!

About this tool

What is the difference between p=none, p=quarantine and p=reject?

p=none means monitor only with no emails blocked. p=quarantine sends failing emails to spam. p=reject blocks failing emails entirely. Most organisations should work toward p=reject.

What are DMARC aggregate reports?

Daily XML summaries from receiving mail servers showing who is sending email on behalf of your domain and whether they passed authentication. Add rua=mailto:your@email.com to enable them.

Want to see the full security posture of any M365 tenant?

Try Sabiki free

MX Record Lookup and Provider Identifier

Look up MX records for any domain and automatically identify the email provider — Microsoft 365, Google Workspace, Mimecast, Proofpoint, and more.

Link copied!

About this tool

What is an MX record?

An MX (Mail Exchanger) record specifies which mail server is responsible for receiving email for a domain. Lower priority numbers indicate higher preference.

How can I tell if a domain uses Microsoft 365 for email?

Microsoft 365 domains typically have MX records pointing to mail.protection.outlook.com. Enter the domain above to instantly identify the provider.

Running M365? Add AI-powered email security in minutes.

See Sabiki Email Security

Email Blacklist Checker

Check if your domain's mail servers appear on major email blacklists including Spamhaus ZEN, Barracuda, SpamCop, and others. Being listed causes your emails to be rejected or marked as spam.

Link copied!

About this tool

What happens if my domain is blacklisted?

If your sending IP is on a major blacklist, receiving mail servers will reject your emails outright or route them to spam. This affects all email sent from that IP including legitimate business email.

How do I get removed from a blacklist?

Each blacklist has its own delisting process. For Spamhaus, visit spamhaus.org/lookup. For Barracuda, use barracudacentral.org/rbl/removal-request. First resolve the underlying issue that caused the listing or the IP will be relisted.

Protect your M365 tenants from email threats at source.

See Sabiki Email Security

About these free email security tools

These tools are provided free by Sabiki, a Microsoft 365 security platform for MSPs and IT administrators. Designed to help you quickly audit email authentication configuration, diagnose delivery issues, investigate phishing emails, and check domain blacklisting status. No install, no account needed.

All DNS lookups use the Cloudflare public DNS-over-HTTPS resolver. No domain names or results are stored by Sabiki. Email headers pasted into the header analyser are processed entirely within your browser and never sent to any server.

Related Sabiki resources

Sabiki Email Security for Microsoft 365 Entra ID Security Posture Management Sabiki for MSPs Email security blog Start a free trial