Without a selector, the tool tries common defaults: google, selector1/2 (M365), k1/k2/k3, default, mail, protonmail*, and others.
Why these three records exist
Email was designed in an era when nobody worried about spoofing — anyone could send mail claiming to be anyone. SPF (2006), DKIM (2007), and DMARC (2012) are layered fixes that let receiving mail servers verify a message really came from where it says it did. Configured together correctly, they make impersonation of your domain essentially impossible and dramatically improve deliverability of your legitimate mail.
Gmail and Yahoo's 2024 sender requirements made all three mandatory for any domain sending more than 5,000 messages per day to their users. Microsoft Outlook is heading the same direction. If you send transactional or marketing email, missing any of the three increasingly means landing in spam.
SPF (Sender Policy Framework)
SPF answers the question: "is this server allowed to send mail claiming to be from this domain?" It's a single TXT record at the domain root listing the IP addresses and hostnames authorized to send. Example:
v=spf1 include:_spf.google.com include:mailgun.org ip4:198.51.100.0/24 ~all
include:_spf.google.com— also include Google's published SPF (one TXT lookup recursively expands their record).ip4:198.51.100.0/24— allow this CIDR block to send.~all— "softfail" for everything not listed (mark as suspicious). Use-all("hardfail") once you're confident no legitimate mail is missed.
The 10-lookup limit (RFC 7208) is SPF's most common breakage. Each include:, a, mx, ptr, exists, and redirect= counts as one DNS lookup. Recursive includes count too. Exceed 10 and receivers will return "permerror", treating your SPF as if it didn't exist. Common bloat: large ESPs (Salesforce, Marketo) eat 4-6 lookups each.
DKIM (DomainKeys Identified Mail)
DKIM answers a different question: "was this message actually sent by this domain, and is it unchanged in flight?" Your mail server signs outgoing messages with a private key; the public key is published as a TXT record. Receivers fetch the key, verify the signature, and confirm the message body and key headers haven't been tampered with.
The TXT record lives at a "selector" subdomain: <selector>._domainkey.<your-domain>. Selectors are arbitrary names that let you rotate keys without breaking existing signatures (publish a new selector, switch outgoing mail to sign with it, retire the old selector after caches expire).
Common selector names — Google Workspace uses google, Microsoft 365 uses selector1 and selector2 (rotating pair), ProtonMail uses protonmail1/2/3, Mailchimp uses k1/k2/k3. This tool tries the common defaults automatically; if your provider uses a custom selector, enter it explicitly.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC sits on top of SPF and DKIM. It answers: "if a message fails SPF or DKIM, what should the receiver do, and where should they send a report?" The record lives at _dmarc.<your-domain> and looks like:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; pct=100; adkim=s; aspf=s
p=reject— refuse mail that fails alignment.p=quarantinesends to spam.p=noneis monitor-mode only (no enforcement).rua=mailto:dmarc@example.com— daily aggregate reports go here.pct=100— apply the policy to 100% of failing mail (usepct=10during rollout).adkim=s/aspf=s— strict alignment (the signing domain must match exactly).r= relaxed (parent domain ok).
Rollout pattern: start with p=none for a few weeks while you read aggregate reports and identify legitimate senders that are failing. Move to p=quarantine; pct=10, watch for issues, ramp pct to 100. Move to p=reject; pct=10, ramp to 100. The whole process typically takes 2-3 months for an active domain.
Common misconfigurations this tool detects
- SPF "+all" — allows literally anyone. Almost always a typo for
-all; immediately defeats SPF. - SPF over 10 lookups — exceeds the RFC limit, causes permerror. Reduce includes or flatten via a tool like SPFlatten.
- DKIM key revoked — public key field empty (
p=). The selector still exists but signatures using it will fail. - DMARC with no rua tag — policy enforced but you can't see what's happening. Always include
rua=for aggregate reports. - DMARC p=none forever — monitor mode is meant to be temporary. Many domains set it and never upgrade, leaving spoofing protection turned off.
- DMARC sp=none with p=reject — protects the apex but leaves subdomains wide open. If you don't use subdomain mail, omit
sp=or setsp=reject.
Common use cases
- Audit your domain's email authentication before sending campaigns
- Debug deliverability issues — find why mail lands in spam
- Verify a new DMARC rollout is configured correctly
- Investigate a vendor's sending domain before adding it to your SPF
Frequently asked questions
Why is DKIM not detected even though it works?
DKIM lives at a "selector" subdomain (<code><selector>._domainkey.<domain></code>). The tool tries 20+ common selectors automatically — Google, Microsoft, Mailchimp, SendGrid, ProtonMail, Postmark, FastMail, etc. If yours uses a custom name, enter it in the selector field. Check your mail provider's docs for the exact value.
My SPF passes here but mail still goes to spam.
SPF alone isn't enough anymore. Gmail and Yahoo require ALL THREE (SPF, DKIM, DMARC) aligned for bulk senders. Check that DKIM and DMARC are also configured, and that your DMARC policy is at least <code>p=quarantine</code>.
What's the "10-lookup limit" issue?
RFC 7208 limits an SPF record to 10 DNS lookups (each <code>include:</code>, <code>a</code>, <code>mx</code>, <code>ptr</code>, <code>exists</code>, <code>redirect</code>). Recursive includes count too — Salesforce and Marketo alone can eat 5-6 lookups each. Exceed 10 and receivers return "permerror" and SPF effectively fails. Flatten the record (resolve includes to literal IPs) or remove unused senders.
Should I start with p=none?
Yes. <code>p=none</code> is monitor mode — DMARC reports come in but nothing is enforced. Run that for 2-4 weeks, identify legitimate senders failing alignment, fix them, then move to <code>p=quarantine; pct=10</code>, watch, ramp pct to 100, then <code>p=reject</code>. Whole rollout typically takes 2-3 months for an active domain.