46 Free Email Security Tools
Check, generate, analyze, and look up DNS records for every email authentication protocol. All tools run in your browser — nothing is sent to our servers.
Domain Email Health Check
Run a comprehensive audit across all email authentication protocols — DMARC, SPF, DKIM, BIMI, MTA-STS, TLS-RPT, ARC, and DANE — and get a weighted security score with actionable next steps.
Run auditCheckers
DMARC Record Checker
Validate your DMARC policy, parse all tags per RFC 7489, and get actionable recommendations.
SPF Record Checker
Parse SPF mechanisms, count DNS lookups against the RFC 7208 limit of 10, and detect misconfigurations.
DKIM Record Checker
Look up DKIM public keys by selector, verify key sizes against RFC 8301, and check algorithm compliance.
BIMI Record Checker
Verify your BIMI record, check SVG logo compliance, VMC authority, and DMARC enforcement prerequisites.
MTA-STS Checker
Validate your MTA-STS DNS record, fetch the policy file, and verify MX record alignment per RFC 8461.
TLS-RPT Record Checker
Check your TLS-RPT DNS record, validate report destinations, and verify MTA-STS integration per RFC 8460.
DANE/TLSA Record Checker
Look up TLSA records, verify DNSSEC status, and validate DANE configuration per RFC 6698 and RFC 7672.
Blacklist Check
Check if your domain or IP appears on major DNS blacklists (DNSBLs) that could affect email deliverability.
ARC Readiness Checker
Assess ARC readiness by checking DMARC enforcement, mail provider capabilities, and DKIM keys at common ARC selectors.
ARF / Forensic Report Checker
Validate DMARC forensic reporting — check ruf= destinations, external authorization, failure options, and provider support.
DMARC Failure Diagnoser
Seeing DMARC failures in your reports or bounces? Get the most likely causes ranked by impact — missing record, p=none silent failure, SPF misalignment, DKIM gaps, forwarding breaks — with the exact fix for each.
DKIM CNAME Validator
ESPs publish DKIM via CNAME so they can rotate keys server-side. Walk the chain (loop-safe), resolve the terminal TXT, and validate the DKIM key per RFC 8301 — flagging dangling aliases and weak keys.
SPF Record Syntax Inspector
Paste an SPF record or fetch from a domain — get a token-by-token breakdown with every mechanism, qualifier, and modifier mapped to its RFC 7208 section, plus the common pitfalls flagged inline.
SPF Macro Debugger
Expand %{i}, %{s}, %{d}, %{l}, %{o}, %{h}, %{v}, %{p} with your own evaluation context. See the per-macro transform (digits, reverse, delimiters) before publishing a record — and understand the per-IP and per-sender authorisation patterns most receivers never document.
Generators
DMARC Record Generator
Build a DMARC policy with reporting addresses, alignment settings, and percentage rollout.
SPF Record Generator
Build an SPF record with provider presets, IP ranges, and lookup tracking against the 10-lookup limit.
DKIM Record Generator
Generate RSA or Ed25519 DKIM key pairs entirely in your browser. Your private key never leaves your device.
BIMI Record Generator
Build a BIMI DNS record with SVG logo URL, optional VMC certificate, and SVG Tiny PS validation.
MTA-STS Policy Generator
Generate an MTA-STS DNS record and policy file with MX pattern matching per RFC 8461.
TLS-RPT Record Generator
Build a TLS-RPT DNS record with mailto and HTTPS report destinations per RFC 8460.
DANE/TLSA Record Generator
Generate TLSA records for DANE certificate pinning with SHA-256/SHA-512 hashing and optional PEM parsing.
SPF Flattener
Resolve SPF include chains, visualize the lookup tree, and generate a flattened record under the 10-lookup limit.
Analyzers
DMARC Report Analyzer
Parse DMARC XML aggregate reports to see who is sending email as your domain and whether they pass authentication.
TLS Report Analyzer
Parse TLS-RPT JSON reports to diagnose TLS negotiation failures and certificate issues.
ARF Report Analyzer
Parse RFC 5965 abuse feedback reports to extract feedback type, source IP, reported domain, and authentication results.
ARC Chain Analyzer
Parse and visualize Authenticated Received Chain headers per RFC 8617. Validate chain integrity and diagnose forwarding issues.
Email Header Analyzer
Trace message routing and authentication through email headers. View hops, SPF/DKIM/DMARC results, and delays.
Lookups & Diagnostics
DNS Record Lookup
Query any DNS record type — A, AAAA, MX, NS, TXT, PTR, CNAME, SOA, CAA, SRV — from a single tool.
MX Record Lookup
Check the mail servers that handle a domain's inbound email — priority, hostnames, TTL, and configuration errors.
CNAME Record Lookup
Look up canonical name aliases for any host — verify SaaS targets, walk the alias chain, and catch dangling CNAMEs.
TXT Record Lookup
Inspect TXT records with inline detection of SPF, DKIM, DMARC, MTA-STS, BIMI, and verification tokens.
Reverse DNS Lookup
Resolve any IPv4 or IPv6 address back to its hostname — verify PTR records, FCrDNS, and email sender reputation.
WHOIS Lookup
Query domain registration details including registrar, creation date, expiration, and nameservers.
Open Relay Tester
Browser-only DNS posture check (MX, A/AAAA, PTR, FCrDNS, ISP-host heuristics) plus a ready-to-paste telnet recipe for the actual SMTP-level open-relay probe.
Compliance & Audit
NIS2 Readiness Scorecard
NIS2 is in force EU-wide; enforcement is rolling out through 2026 (Germany live 6 Dec 2025). Check your domain against the NIS2 Article 21 §2(d), §2(g), and §2(h) email-authentication controls and get the gaps named in auditor language.
BSI NIS2 E-Mail-Sicherheitscheck
NIS2UmsuCG seit 6. Dez. 2025 in Kraft (BSI-Registrierung läuft). Prüfung gegen die BSI-Grundschutz-Bausteine NET.4.2, NET.4.3 und CON.5 — deutsche Auditor-Sprache, §-Verweise auf NIS2UmsuCG.
DORA ICT Email Control Mapper
DORA in full effect since 17 Jan 2025. Map DMARC, SPF, MTA-STS, TLS-RPT, and DNSSEC posture to Articles 9, 10, and 11 — built for EU financial entities preparing for supervisor reviews.
DORA E-Mail-Sicherheitscheck
DORA gilt seit 17. Januar 2025 für EU-Finanzunternehmen. Prüfung gegen Artikel 9, 10 und 11 — deutsche Auditor-Sprache mit BaFin- und MaRisk-Bezug.
PCI § 5.4.1 Anti-Phishing Checker
Req 5.4.1 mandatory since 31 March 2025. QSA-ready anti-phishing mechanism evidence — DMARC at enforcement, SPF, MTA-STS, TLS-RPT — mapped to PCI SSC's April 2024 email protocol supplement.
HIPAA Email Authentication Readiness
HHS published the first Security Rule update since 2013 in Dec 2024. Check your domain against §164.312 Technical Safeguards before the 2026 OCR audit cohort lands. 74% of breached healthcare domains lacked effective DMARC.
Microsoft 550 5.7.15 Bulk Sender Diagnostic
Outlook started rejecting bulk-sender mail that fails DMARC verification on 5 May 2025. Diagnose your domain against Microsoft's high-volume sender requirements and get the exact DNS records to publish.
Gmail & Yahoo Bulk-Sender Readiness
Google and Yahoo enforce SPF + DKIM + DMARC alignment on bulk senders since 1 February 2024. Gmail's November 2025 escalation moved repeat offenders from tempfail to permanent rejection.
NCSC Mail Check Migration
NCSC Mail Check retired on 31 March 2026. Run the equivalent posture check on your domain — DMARC, SPF, MTA-STS, TLS-RPT — and download an MCSS-aligned migration report.
p=none Escape Plan — 4-Week Wizard
Stuck at p=none? Enter your domain and get a personalised four-week migration plan that walks from monitoring to p=quarantine to p=reject. Includes the exact DNS record at every step.
NIS2 Supplier Questionnaire
Paste or upload a supplier list, get a NIS2 §21(2)(d) supply-chain readiness report in seconds. Each supplier scored against DMARC, SPF, MTA-STS. Downloadable as CSV evidence.