Enter a domain or email address to audit
Live DNS lookups via Cloudflare DoH (Google DoH fallback). 14 DKIM selectors auto-tested. Nothing stored or logged.
What this tool checks
Free email privacy checker — audit email domain security and authentication
Email authentication is a set of DNS-published policies that prove your domain is who it claims to be. Without them, anyone can forge email that appears to come from your address — the mechanism behind phishing, business email compromise, and brand impersonation. This tool performs live DNS lookups to check whether a domain has correctly published all five authentication records.
The risk score reflects how exposed a domain is to spoofing and impersonation. A domain with no SPF and no DMARC has no technical barrier preventing someone from sending convincing phishing emails to your customers or partners using your domain name. A domain with SPF p=reject, DMARC p=reject, and DKIM configured has the strongest available protection.
Each failing or warning check includes a specific DNS fix recommendation — the exact record you need to add or modify — so you can act on the results immediately without needing to research the correct syntax separately.
What this tool does
SPF
Lists which mail servers are authorised to send email for your domain. The -all qualifier rejects all unauthorised senders.
DMARC
Ties SPF and DKIM together and specifies what to do when they fail: none (monitor), quarantine (spam), or reject (block).
DKIM
Adds a cryptographic signature to outgoing mail. Recipients can verify the message wasn't altered in transit.
MX
Mail exchange records — confirm the domain has an active incoming mail server and can receive email.
BIMI
Optional brand logo display in Gmail, Yahoo Mail, and Apple Mail. Requires DMARC enforcement to be active.
Risk 0–2
Well configured — fully authenticated with strict enforcement on SPF and DMARC.
Risk 3–5
Minor issues — SPF or DMARC using non-strict settings, or DKIM not found on common selectors.
Risk 6–10
Critical — missing SPF or DMARC records. Domain is vulnerable to impersonation and phishing.
Risk score reference
0ExcellentFully auth.
1–2GoodWell config.
3–4MinorWarnings
5–7AttentionGaps exist
8–10CriticalVulnerable
ExamplesScore 0 — ExcellentScore 0–1 — ExcellentScore 3–4 — Minor IssuesScore 9 — Critical
Email privacy audit examples — how different domain configurations score
These examples show the range of configurations you'll encounter — from fully authenticated enterprise domains to misconfigured or abandoned ones.
gmail.com
Google maintains full SPF -all, DMARC p=reject, DKIM, and MX. All checks pass — risk score 0.
proton.me
Privacy-focused provider with strict DMARC enforcement and strong SPF policy.
example-startup.io
Typical startup: SPF with ~all (soft fail) and DMARC p=none monitoring. DKIM present but no strict enforcement.
abandoned-domain.net
Parked or expired domain — no MX records, no SPF, no DMARC. Anyone can spoof email from it.
FAQ
Frequently asked questions about email privacy and security audits
What is an email privacy audit?
An email privacy audit checks whether an email domain has correctly published the DNS records that authenticate its identity and protect against spoofing. The five checks — SPF, DMARC, DKIM, MX records, and BIMI — together determine how exposed a domain is to phishing, impersonation, and deliverability failures. The audit queries live DNS resolvers and scores the domain's configuration. The audit checks SPF, DKIM selector presence, DMARC policy, MX configuration, and MTA-STS support -- giving a comprehensive view of email security posture.
What is SPF and why does it matter for email privacy?
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. Without it, any server in the world can send email that appears to come from your domain — the primary technique used in phishing, business email compromise, and brand impersonation attacks. A strict SPF record with -all enforcement instructs receiving servers to reject unauthorised senders outright.
What does DMARC p=none mean — is it a problem?
p=none means the domain has published a DMARC record but has not enabled enforcement. Emails that fail SPF and DKIM checks are still delivered to recipients normally — only aggregate reports are sent to the rua address. It provides visibility but zero protection against spoofing. Moving to p=quarantine (spam folder) or p=reject (block entirely) is required for the domain to actually be protected.
Why might DKIM not be detected?
DKIM public keys are stored in DNS under a subdomain that includes a selector you choose when setting up DKIM signing — for example, google._domainkey.yourdomain.com. This tool automatically tests 14 of the most commonly used selector names. If your email provider uses a custom selector not in that list, the key won't be found here — but DKIM may still be working correctly. Check your provider's DNS setup documentation for the selector name.
What is the risk score and how is it calculated?
The risk score runs from 0 to 10, where 0 means the domain is fully authenticated and 10 means critical vulnerabilities exist. Each failed check (missing SPF, missing DMARC) adds 3 points to the score. Each warning (SPF with ~all instead of -all, DMARC p=none, DKIM not found) adds 1 point. A score of 0–2 is well configured. 3–4 is minor issues. 5–7 needs attention. 8+ is critical.
What is BIMI and do I need it?
BIMI (Brand Indicators for Message Identification) is an optional standard that displays your brand logo next to emails in Gmail, Yahoo Mail, and Apple Mail. It requires DMARC p=quarantine or p=reject to already be in place. BIMI is not a security requirement — it's a brand trust and recognition feature. Implementing it typically requires a Verified Mark Certificate (VMC) for the logo, though some providers support it with a standard SVG.
How do I fix a missing SPF record?
Log in to your DNS provider and add a TXT record at your root domain (e.g. yourdomain.com) with the value: v=spf1 include:_spf.yourprovider.com -all — replacing the include: value with the one specified by your email sending service. DNS changes propagate within minutes to hours. Run this audit again after publishing to verify the record is correctly detected. DNS propagation after adding a new SPF record typically takes 5-30 minutes for most providers -- run the audit again after the TTL expires to confirm detection.
Can I run this audit on domains I don't own?
Yes — the audit only performs read-only DNS lookups, which is public information. DNS records are publicly queryable by anyone. You can use this to check the authentication posture of any domain, including your own, a customer's domain, or a domain you've received suspicious email from. Running an audit on an external domain is legitimate for security research, vendor due diligence, and identifying spoofing risk before adding a contact to a mailing list.
How does this differ from the Email Health Checker?
The Email Health Checker focuses on deliverability — it grades the domain on whether email can be received and sent reliably, including a disposable-provider check and an A–F score. The Email Privacy Auditor focuses on security posture — it evaluates authentication records, assigns a risk score, provides specific fix recommendations, and includes BIMI. Both complement each other and are useful for different purposes.
Does this tool store the domains I check?
No — all DNS lookups are performed directly from your browser to the Cloudflare and Google DNS over HTTPS resolvers. No domain names or results are transmitted to or stored on best-tempmail.com servers. The tool involves no authentication, no accounts, and no data retention. All DNS queries are made directly from your browser via Cloudflare DoH -- the domains you audit are not logged or stored anywhere.
Related Email Security Tools
Keep your real email address private.Generate a free disposable address — zero signup, zero trace.
Get Free Temp Mail ->