UK Email Deliverability Checker (SPF / DKIM / DMARC)

01 // Run it

Live DNS lookup

Domain (e.g. nuvenar.com)DKIM selector (optional)

We query Cloudflare's public DNS-over-HTTPS resolver (1.1.1.1). No data leaves the request to a third-party. Domain lookups are public DNS information.

02 // What the number means

The three records that decide whether your email lands

Gmail and Outlook each handle 60-70% of UK B2B inboxes between them. Both run an authentication stack that blends SPF, DKIM, and DMARC into a deliverability score. A domain with all three configured and aligned lands in the primary inbox. A domain missing any one of them gets quietly demoted into Promotions or Spam, and the sender usually doesn't notice because their own mailbox provider doesn't apply the same rules to their own outbound.

SPF: who can send on your behalf

SPF is a TXT record that lists every server allowed to send email claiming to be from your domain. The record starts with v=spf1 and ends with a softfail (~all) or hardfail (-all) directive. Most UK SMBs have an SPF record from when they set up Google Workspace and forgot to update it when they added Mailchimp, Stripe, SendGrid, or any other email sender. Each additional sender needs to be listed in the SPF record (via include: directives) or its mail will fail authentication.

DKIM: cryptographic signature

DKIM signs outbound email with a private key; receivers fetch your public key from DNS and verify the signature. Each email provider publishes their DKIM public key under a selector-specific subdomain. Google uses google._domainkey.yourdomain.com. Microsoft uses selector1._domainkey and selector2. The checker tries the common selectors automatically; for custom senders you'll need to confirm the selector with your provider.

DMARC: what to do when SPF or DKIM fail

DMARC is the policy on top. It tells receivers whether to do nothing (p=none, monitor only), put failures in spam (p=quarantine), or reject them outright (p=reject). Most UK SMBs are stuck at p=none forever because nobody ever revisits the policy after the initial setup. p=nonegives you DMARC reports but doesn't improve deliverability. p=quarantine is the right long-term state for most SMBs; p=rejectis best-practice once you're confident every legitimate sender passes.

How to use this checker

Enter your domain. The checker queries Cloudflare's public DNS-over-HTTPS resolver and surfaces the SPF, DKIM, and DMARC records. Each result shows pass/warn/fail with a specific fix if needed. The lookups are public DNS; nothing personal leaves the request. For DKIM custom selectors, set the selector field manually (your email provider's DNS setup guide will tell you what to use).

Where NuvenarHub Mail fits

NuvenarHub Mail gives you the authenticated infrastructure for broadcasts and transactional email, with a guided DNS setup that publishes the right SPF include, DKIM key, and DMARC starter policy. You still control the records (they need to cover Google Workspace, Stripe, and your other senders too), but the path from "new domain" to "everything passes" takes minutes instead of weeks.

03 // FAQ

What do SPF, DKIM, and DMARC actually do?

SPF tells mailbox providers which servers are allowed to send email on your behalf. DKIM signs outgoing email with a cryptographic key so receivers can verify the message wasn't tampered with. DMARC tells receivers what to do when an email fails both checks (none / quarantine / reject) and where to send the reports. Without all three, Gmail and Outlook silently downgrade your deliverability into Promotions or Spam.

Why does the DKIM check warn even though my email works?

Because DKIM selectors are provider-specific and there's no universal naming. Google uses 'google'. Microsoft 365 uses 'selector1' and 'selector2'. Mailchimp uses 's1' / 's2'. SendGrid uses 'k1'. The checker tries the common selectors; if your provider uses a custom one, set it in the input field.

Should DMARC be set to p=reject straight away?

No. Start with p=none, monitor reports for 2-4 weeks via the rua= address, fix any legitimate sender that's failing, then move to p=quarantine for another 2 weeks, then p=reject. Jumping to p=reject without monitoring will reject legitimate forwarded mail and break newsletter-forwarding workflows.

Where do DMARC reports go?

To the email address you specify in the rua= tag. The reports are XML files sent daily by every receiving mailbox provider. Tools like Postmark DMARC, dmarcian, or Valimail parse them into a readable dashboard for free at SMB volume.

Why does Gmail keep flagging my legitimate emails as spam?

Usually one of three things. SPF / DKIM / DMARC misconfigured (this checker surfaces that). Sender reputation low because you ramped volume too fast on a new domain (gradual warm-up over 4-6 weeks fixes this). Content patterns that trigger Gmail's spam filter (excessive caps, financial-trigger words, broken HTML, suspicious links). The checker addresses the first; the other two need separate audits.

Does NuvenarHub Mail handle SPF / DKIM / DMARC for me?

NuvenarHub Mail (the standalone email product) gives you the exact DNS records to publish on your domain plus a verification step. Once you publish them, broadcasts and transactional email go via authenticated infrastructure. You still control your own SPF / DMARC policy because they need to cover your other senders too (Google Workspace for personal email, Stripe for transactional receipts, etc.).

Related free tools

All 22 tools →

Get authenticated email infrastructure.

NuvenarHub Mail at £29/mo handles SPF, DKIM, and DMARC setup with a guided DNS wizard. Broadcasts and transactional email land in the inbox, not promotions. 7-day free trial.

See Nuvenar Mail

Email deliverability checker.Live DNS lookup for SPF, DKIM, DMARC.