Step by step process to use Mailtester to check SPF DKIM and DMARC records

If you send email from your own domain—whether it’s for a business, a newsletter, or just because you like things tidy—you’ve probably heard about SPF, DKIM, and DMARC. These aren’t just buzzwords; they’re the backbone of making sure your emails actually arrive in inboxes, not spam folders. But figuring out if you’ve set them up right can be a pain, especially if you don’t want to drown in technical docs.

This guide is for anyone who wants a no-nonsense, step-by-step walkthrough for checking their email authentication records using Mail-tester. No fluff, no jargon. Just what works, what doesn’t, and what you can ignore.

Why Bother With SPF, DKIM, and DMARC?

Before we get into the how, here’s the quick “why”:

  • SPF tells receiving mail servers which servers can send email for your domain.
  • DKIM adds a digital signature to your emails, proving they haven’t been tampered with.
  • DMARC ties it all together—if SPF or DKIM fails, DMARC tells the recipient what to do. It also gives you reports.

If these aren’t set up, your emails are much more likely to get flagged as spam, or worse, spoofed by scammers.

What Mail-tester Actually Does (and Doesn’t)

Mail-tester is a free tool that checks if your emails are likely to land in spam. It also gives you a snapshot of your SPF, DKIM, and DMARC setup. You send an email to a special address, and it spits out a report.

What it’s good for: - Simple, quick checks if your authentication records are working. - Getting plain-language feedback, not just cryptic error codes. - Spotting obvious misconfigurations.

What it won’t do: - Act as an all-in-one security audit. It doesn’t replace proper DNS tools or deep-dive email header analysis. - Fix your DNS records for you.

It’s a first-pass reality check, not a guarantee.

Step-by-Step: How to Use Mail-tester to Check SPF, DKIM, and DMARC

Let’s get you from “I have no idea if my records work” to “I know what’s broken, and what’s not.”

1. Prep Your Sending Email Account

Before you start, make sure: - You have access to the sending email account you want to test (ideally, send from the real system—newsletters, CRMs, etc.—not just Gmail/Outlook’s webmail). - You can send a plain email without weird plugins or “confidential” modes.

Pro tip: Test from the actual service you use to send campaigns, not just your personal inbox. Sometimes, mail services rewrite headers or signatures.

2. Grab Your Unique Mail-tester Address

Go to Mail-tester. You’ll see a one-time-use, weird-looking email address (something like test-abc123@mail-tester.com). Copy it.

  • This address is unique for your session. Don’t reuse it hours later—just refresh the page for a new one if needed.

3. Compose and Send Your Test Email

  • Open the mail app or service you want to test.
  • Create a draft. Subject and body don’t matter much—just keep it simple for now.
  • Paste the unique Mail-tester address into the “To” field.
  • Hit “Send.”

Got multiple domains or sending systems? Repeat this for each one. You want to test every scenario that matters.

4. Check Your Score and Report

Wait about 10 seconds, then go back to the Mail-tester page and click “Then check your score.”

Mail-tester will crunch your email and show you a score out of 10, plus a detailed breakdown:

  • SPF: Did your sending server match your SPF record?
  • DKIM: Was your email correctly signed and verified?
  • DMARC: Is there a DMARC record, and did it pass?

Scroll down to find the authentication checks. They’re usually near the top, but don’t get distracted by the “blacklists” or “content” stuff for now.

5. Understand What the SPF, DKIM, and DMARC Results Mean

Here’s how to read the results:

SPF

  • Green check: Your sending server is listed in your SPF record. Good.
  • Red X: Either no SPF record found, or your sending server isn’t allowed. This is the most common mistake—maybe you forgot to add your mail provider’s server to your SPF DNS record, or you have a typo.
  • Gray warning: Your SPF record exists but is misconfigured or too permissive (+all is bad news).

What matters: You want a green check, and your SPF record should list all servers you actually use. Don’t just slap “include:spf.someprovider.com” in there without checking what it actually allows.

DKIM

  • Green check: Your email was signed, and the signature is valid. All good.
  • Red X: Either you’re not signing emails, or the signature didn’t match (could be a DNS typo, or you didn’t enable DKIM signing on your mail system).
  • Gray warning: Sometimes, the key is missing or not visible publicly.

What matters: Make sure your mail system is signing outgoing emails, and your public key is properly published in DNS. If you use a third-party sender, DKIM is a must.

DMARC

  • Green check: DMARC record found, and your email passed alignment.
  • Red X: No DMARC record, or alignment failed.
  • Gray warning: DMARC exists but is set to “none” (which means you’re just monitoring, not enforcing).

What matters: At the very least, you want a DMARC record—even if it’s set to “none” at first. It’s way better than nothing, and you’ll get reports on abuse.

6. Troubleshoot and Fix Issues

No tool’s perfect, but here are common problems and what to do about them:

SPF Fails

  • Check your DNS record for typos.
  • Make sure you’ve added all the mail servers you actually use. If you use a service like Mailchimp, Google Workspace, or a CRM, they’ll give you exact SPF include lines.
  • Don’t use “+all” or “~all” unless you know what you’re doing. Stick to -all for strictness.
  • Use online SPF record checkers (like MXToolbox) for double-checking.

DKIM Fails

  • Make sure DKIM signing is enabled in your mail system.
  • Check that your DNS record matches the selector in use. Sometimes people publish the key at the wrong DNS subdomain.
  • If you use multiple systems, each should have its own DKIM key.

DMARC Fails

  • Create a basic DMARC record. Even v=DMARC1; p=none; rua=mailto:you@yourdomain.com is better than nothing.
  • Check “alignment”—the domain in your From address should match the domain in your DKIM signature or SPF (depending on your DMARC policy).
  • Don’t jump to “reject” policy until you’re certain SPF and DKIM are rock-solid. Start with “none,” check reports, then move to “quarantine” or “reject.”

7. Ignore What Doesn’t Matter (At Least for Now)

Mail-tester checks all sorts of stuff—blacklists, HTML quality, etc. Here’s what you can skip if you’re just focused on authentication:

  • Blacklists: Most are junk or outdated. If your mail server IP is on a major one (Spamhaus, SORBS), then worry. Otherwise, don’t panic.
  • Content “Spamminess”: These scores are notoriously inconsistent. Focus on authentication first; you can tweak copy later.

8. Re-Test After Every Change

Any time you update your DNS records, wait a few minutes, then repeat the Mail-tester process. DNS can take a while to propagate—don’t expect instant results.

Pro Tips and Gotchas

  • Want to see more technical details? Click “Show technical details” under the authentication checks. You’ll see raw results and explanations.
  • Mail-tester is public. Don’t send confidential info in your test emails.
  • Use multiple tools for peace of mind. Tools like MXToolbox, DMARCian, or Google’s CheckMX can fill in gaps.
  • Some ESPs (like Gmail) add their own headers or alter DKIM. Always test from the actual system in production.

Summary: Keep It Simple, Don’t Overthink It

SPF, DKIM, and DMARC aren’t magic, but they’re essential. Mail-tester gives you a quick way to check if you’re on the right track. Don’t let perfect be the enemy of good—get the basics working, use Mail-tester to spot obvious problems, and iterate as you go. Email authentication is a moving target, but most of the time, simple fixes make the biggest difference.