Domain Email DoctorScan my domain

Fix your custom domain email setup.

Check MX, SPF, DKIM, and DMARC records for Google Workspace, Cloudflare, Vercel, Namecheap, Microsoft 365, and more.

Scan my domainHow it works
No login neededPublic DNS onlyWe do not modify DNSNo email password needed
Example report

example.com

6/1/2026, 9:00:00 AM

Email DNS readiness59/100Critical issues found

What this means for your email

Can people email you?Good

Yes - this domain is set up to receive email.

Will your email reach inboxes?At risk

At risk - mail from this domain is likely to be junked or rejected until this is fixed.

The current setup lets anyone on the internet send email that claims to be from your domain.

Authentication is the part of junk filtering you control in DNS. Sending habits and content also matter - no tool can guarantee the inbox.

MX recordsReceiving mail servers found2 MX records routes incoming mail for this domain.
SPF recordSPF allows every senderSPF lookup count: 1 / 10. Within the SPF limit.
DKIM recordCommon DKIM selector foundA DKIM DNS record was found for one or more common selectors. This does not prove live DKIM signing; confirm the exact selector in your mail provider or by checking a real sent email header.
DMARC recordDMARC policy is p=noneDMARC tells receivers how to handle mail when SPF or DKIM does not align with the visible From domain.

Results report preview

Deterministic DNS findings. This checks DNS configuration, not inbox placement or sender reputation.

CheckThe DNS area being reviewed, such as MX, SPF, DKIM, DMARC, DNS host, or website host.StatusPass means this check looks OK from public DNS. Fail means there is a priority issue to fix. Info means useful context or a result DNS cannot fully confirm, such as DKIM without the exact selector.DetailsAction
Who controls your DNS?PassCloudflare DNSAdd MX, SPF, DKIM, and DMARC fixes at this active DNS host.
MX recordsPassReceiving mail servers foundKeep MX records pointed at the provider that hosts the mailbox or forwarding route.
SPF recordFailSPF allows every senderFor Google Workspace, keep include:_spf.google.com and replace +all with ~all while testing or -all after every sender is confirmed.
DKIM recordDNS record foundCommon DKIM selector foundConfirm DKIM signing is enabled in the mail provider admin panel; this DNS check only confirms a selector or public-key record exists.
DMARC recordWarningDMARC policy is p=noneAfter reviewing reports, move gradually from p=none to p=quarantine and then p=reject.
Website hostPassVercel HostingWebsite host and DNS host can be different. Add email records where the active nameservers are managed.

Exact fixes

Critical
SPF allows every sender

The current setup lets anyone on the internet send email that claims to be from your domain.

For Google Workspace, keep include:_spf.google.com and replace +all with ~all while testing or -all after every sender is confirmed.

Read the SPF guideFix step-by-stepAuto-fix on Cloudflare
Advanced detailsv=spf1 include:_spf.google.com +all
Low
DMARC policy is monitoring only

Spoofing protection is in watch-only mode; nothing is blocked yet, and that can be fine while testing.

After reviewing reports, move gradually from p=none to p=quarantine and then p=reject.

Read the DMARC guide
Advanced detailsv=DMARC1; p=none; rua=mailto:dmarc@example.com
Info
Website host and DNS host differ

Your website and your DNS settings appear to live at different companies; that is normal, just edit records at the right one.

Add MX, SPF, DKIM, and DMARC records at the active DNS host, not necessarily where the website is hosted or where the domain was purchased.

Advanced detailsCloudflare DNS | Vercel Hosting
Raw DNS evidence
{
  "ns": [
    "ada.ns.cloudflare.com",
    "ben.ns.cloudflare.com"
  ],
  "mx": [
    {
      "priority": 1,
      "exchange": "aspmx.l.google.com"
    },
    {
      "priority": 5,
      "exchange": "alt1.aspmx.l.google.com"
    }
  ],
  "txt": [
    {
      "name": "@",
      "value": "v=spf1 include:_spf.google.com +all"
    },
    {
      "name": "_dmarc",
      "value": "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
    },
    {
      "name": "google._domainkey",
      "value": "v=DKIM1; k=rsa; p=abc"
    }
  ],
  "cname": {
    "www": [
      "cname.vercel-dns.com"
    ]
  },
  "a": {
    "@": [
      "76.76.21.21"
    ]
  },
  "aaaa": {}
}
SPF lookup count

1 / 10

Info

SPF lookup count: 1 / 10 - within the SPF limit.

Lookup-causing mechanisms
  • include _spf.google.com - 1 direct, 0 nested
Optional protections and reporting

Advanced email security

Advanced protections and reporting - optional, not required for basic email to work, and they do not change or prove inbox placement.

Not configured
BIMI

No BIMI record found. BIMI is optional branding - email works without it.

Details
  • BIMI points supporting mailbox providers at a brand logo. It is not required for email delivery.
Not configured
MTA-STS

No MTA-STS record found. MTA-STS is optional - email works without it.

Details
  • MTA-STS asks sending servers to require TLS when delivering to this domain. It needs both a _mta-sts TXT record and an https policy file.
Not configured
TLS-RPT

No TLS-RPT record found. TLS-RPT is optional reporting - email works without it.

Details
  • TLS-RPT asks sending servers to report TLS delivery problems to an address you choose. It does not change how mail is delivered.

Common problems

I cannot receive email
My website works but email does not
My emails go to spam
Google Workspace says my domain is not verified
I added records in Vercel but nothing changed

What the app checks

Active DNS host
MX records
SPF
DKIM
DMARC
Conflicting records

Who it is for

FoundersSmall business ownersFreelancersAgenciesGoogle Workspace adminsMicrosoft 365 admins

Built for people who need exact DNS fixes without learning every mail-authentication acronym first.

Practical next steps

Each report separates DNS hosting, website hosting, and email hosting so you know where to add or change records.

View guides