Table of Contents

    Security
    June 7, 2026

    7 Free Tools to Audit Your Domain Security (Email, DNS, and SSL)

    Photo of Marco Orta Marco Orta | 10 min read
    Compartir
    Control panel showing seven tools verifying SPF, DKIM, DMARC, WHOIS, DNSSEC, and security headers for a domain

    Your domain’s security — making sure your emails land in inboxes, no one can impersonate you, and your website inspires trust — can be fully audited in about 10 minutes using free tools, with nothing to install and no account to create. I just published seven of them on ortamarco.me, and in this guide I’ll walk you through how to use them in order.

    If you want a deep dive into the reasoning behind each protocol, check out my guide on how to audit your domain’s email and security step by step. Here we’re getting practical: which tool to open, what each result means, and what to do with it.

    All seven work in the browser, require no API key or sign-up, and don’t store what you query.

    Start Here: the Email Auth Checker

    If you’re only going to use one tool, make it this one. The Email Auth Checker (SPF, DKIM, DMARC) reviews all three authentication protocols at once and gives you a letter grade from A to F along with a prioritized list of recommendations.

    It’s the fastest way to find out whether your domain is at risk. The score is calculated out of 100, with deductions for the things that genuinely break deliverability:

    GradeWhat it means
    A–BDomain is authenticated and protected. Just keep it maintained.
    C–DWorking, but missing pieces — typically DMARC set to p=none or no detectable DKIM.
    FNo real protection: high risk of spam and impersonation.

    💡 Real example. When I launched these tools, I tested them against my own domain… and ortamarco.me scored an F (55/100): I had SPF, but no DMARC record. I published a DMARC record at p=none and it jumped to C (70/100) within minutes. An audit isn’t just theory — almost every domain is missing something.

    Once you have your overall grade, use the individual tools to dig into whatever the checker flagged in red.

    Check SPF: Who Can Send on Your Behalf?

    Check SPF analyzes your domain’s v=spf1 record and flags the two most common problems that aren’t obvious to the eye:

    • The final qualifier. -all (hardfail) is ideal; ~all (softfail) is acceptable; ?all offers no protection; and +all is a security hole.
    • The 10-DNS-lookup limit. This is what almost nobody checks: if you chain too many include: directives, SPF exceeds the RFC 7208 limit and stops validating entirely (permerror). The tool counts lookups recursively — following each include — and warns you if you’re over the limit.

    If you have two v=spf1 records, it flags that too: only one is allowed.

    Check DMARC: the Policy That Decides What Happens

    Check DMARC reads the _dmarc.yourdomain.com record and interprets your policy: whether you’re just monitoring (p=none), quarantining, or rejecting; whether you’re receiving reports (rua=); and whether the policy applies to 100% of your email.

    The most common mistake it uncovers is staying on p=none indefinitely. That policy reports but doesn’t protect — anyone can still impersonate you. The goal is to work your way up to p=reject in stages:

    p=none  →  p=quarantine  →  p=reject
(monitor)    (to spam)       (block)

    Start at none, read the reports for a week or two, authenticate all your sending providers, and only then tighten the policy. Jumping straight to reject will block your own email.

    Check DKIM: the Cryptographic Signature

    DKIM is the trickiest of the three, because its key lives under a selector defined by your provider — and there’s no way to guess it. Check DKIM handles this in two ways:

    • If you know your selector (your provider gives it to you: google, zmail, k1…), you enter it and get a definitive result.
    • If you don’t know it, the tool tries a list of common selectors used by the most popular providers.

    One caveat: if the automatic lookup finds nothing, it doesn’t mean you don’t have DKIM — you may simply be using a custom selector. When in doubt, ask your email provider for the selector and test it manually.

    Beyond Email: Domain, DNS, and Web

    Security doesn’t end with email. These three tools cover the rest of the attack surface.

    WHOIS Lookup: Don’t Let Your Domain Expire

    WHOIS Lookup shows you who registered the domain, when it expires, the registrar, and the DNS servers. The most valuable use is defensive: note the expiration date in your calendar. Every year, businesses lose their domain — and with it their website and email — simply because they forgot to renew it.

    Check DNSSEC: Tamper-Proof DNS

    Check DNSSEC verifies whether your domain cryptographically signs its DNS responses. Without DNSSEC, an attacker could spoof where your domain points (cache poisoning) and redirect your email or website. The tool checks whether DS/DNSKEY records exist and whether the chain of trust actually validates. If your registrar supports it, enabling DNSSEC is one of the best security improvements you can make for the effort involved.

    HTTP Security Headers: Browser-Level Protection

    Security Headers analyzes your website’s HTTP headers (HSTS, Content-Security-Policy, X-Frame-Options, and more) and gives you an A–F grade showing which ones are missing. They’re the first line of defense against clickjacking, content injection, and HTTP downgrade attacks. Most sites fail here without even knowing it.

    Here’s the sequence I follow. Work through it top to bottom:

    1. Email Auth Checker → your overall grade and the list of what to fix.
    2. Check SPF → one record, ending in -all, under 10 lookups.
    3. Check DMARC → exists, with rua= pointing to a mailbox you actually read, and a plan to tighten the policy.
    4. Check DKIM → your selector’s key resolves correctly.
    5. WHOIS Lookup → note the expiration date.
    6. Check DNSSEC → enable it if your registrar supports it.
    7. Security Headers → improve your web score.

    If all seven come back green, your domain is locked down. If something fails, you’ll know exactly what to ask your provider or developer to fix. Need a refresher on what each DNS record actually is before you start? I have a guide on DNS record types and how propagation works.

    Why It Matters in 2026

    Since 2024, Google and Yahoo have been rejecting or sending to spam email from domains that don’t authenticate, and by 2026 the requirement is absolute for anyone sending email at scale. A quote that lands in spam is a lost sale; a spoofed domain is a reputation crisis. The good news is that auditing — and fixing — your domain is within anyone’s reach with the right tools and ten minutes.

    If you run the audit and something doesn’t add up, or you’d rather have someone get your domain, email, and website fully secured in one go, I can help: take a look at my web development service or, if you’re looking to get your infrastructure in order, custom systems.

    Frequently Asked Questions

    How long does it take to audit my domain? About 10 minutes following the order above: start with the Email Auth Checker for the overall grade, then use the individual checkers for the details.

    Do I need to sign up? No: all tools are free, require no account or API key, and don’t store what you query.

    Did you audit your domain? Tell me what grade you got in the Email Auth Checker.

    Tags: Security DNS Email SPF DKIM DMARC Tools
    Compartir

    Search

    Categories

    Tags

    Technologies

    Related resources

    ToolEmail Auth Checker (SPF, DKIM, DMARC) ToolSPF Checker ToolDMARC Checker

    Related Posts

    View all posts...