Mission Brief · 002

by Grzegorz Meger

Your emails reach the inbox.
Until they don't.

DMARC failures don't bounce — they silently drop into the spam folder. Type any domain and see exactly which of the four authentication layers are working, broken, or never configured. The same audit a Solution Architect runs by hand — in your browser, under two seconds, free.

4
Layers checked · SPF · DKIM · DMARC · BIMI
0
Tools to install · accounts · paywalls
~1.5s
Average audit time, per domain
Open the cockpit
Audit · interactive

Type a domain. See the verdict.

Live DNS lookups over DNS-over-HTTPS (Cloudflare 1.1.1.1), parsed in your browser. We probe the common DKIM selectors for Google Workspace, Microsoft 365, SendGrid, SES, Mailgun, Postmark, Mailchimp — and validate BIMI assets when they're present. The same checks a Solution Architect runs by hand — but instant, and free.

Try:
Verdict
Awaiting domain
How this works

Every lookup runs directly from your browser against Cloudflare's public DNS-over-HTTPS endpoint. We don't store the domain, we don't log the result. Deep VMC certificate validation (EKU, LogotypeExtension, hash binding) requires our CLI / backend — linked below in Sources.

SPFawaiting domain
DKIMawaiting domain
DMARCawaiting domain
BIMIawaiting domain

Enter a domain or pick one of the presets to start the audit.
The four layers · explained

Four protocols. Four ways to fail silently.

Each protocol exists because the previous one wasn't enough. SMTP from 1981 trusts anyone. SPF added a guest list. DKIM added a signature. DMARC added enforcement. BIMI added a face. Skip any one of them and the chain breaks — without bouncing.

01
Layer 1 of 4

SPF — the guest list at the door

An owner-controlled TXT record at the apex domain that lists every IP allowed to send mail as you. Receivers check: does the sending IP appear here? If not — spoofed. The catch: SPF allows at most 10 DNS lookups during evaluation. Once you exceed that, it silently treats the record as if it didn't exist.

— RFC 7208 · in use since 2014
02
Layer 2 of 4

DKIM — the wax seal on the envelope

The sending server signs each message with a private key. The matching public key lives at <selector>._domainkey.<domain>. Receivers verify the signature byte-by-byte. Tampered in transit? Sent by a server without the key? DKIM fails. Modern keys are 2048-bit RSA.

— RFC 6376 · every major ESP signs with DKIM
03
Layer 3 of 4

DMARC — the boss of all bosses

If SPF and DKIM both fail — DMARC decides what happens. p=none just reports. p=quarantine ships failing mail to spam. p=reject drops it at the SMTP layer. Add rua= to get aggregate XML reports of every server trying to send as you — that's how you discover ongoing spoofing.

— RFC 7489 · mandatory for bulk senders since 2024
04
Layer 4 of 4

BIMI — the brand logo in the inbox

With DMARC enforcing, you can publish a BIMI record pointing at an SVG Tiny PS logo and a VMC certificate. Gmail, Yahoo, Apple Mail, Fastmail render that logo next to your name. Most setups silently fail on one of three things: the SVG isn't Tiny PS, the certificate isn't from a recognized CA, or the logo hash in the cert doesn't match the SVG byte-for-byte.

— BIMI Group · DigiCert / Entrust VMC
Sources · receipts

The protocols, straight from the source.

Every check this widget runs maps to a public RFC, a CA-published spec, or a major mailbox provider's published requirements. Click through and read.

RFC 7208
Sender Policy Framework
The current SPF spec. Defines record syntax, the 10-lookup limit, and the four qualifiers (-all / ~all / ?all / +all). Anyone shipping email-sending code should have read this once.
IETF
RFC 6376
DomainKeys Identified Mail
DKIM. Cryptographic signing of email by the sending domain. Defines the selector layout, RSA key formats, and the c14n canonicalization used to compute the signature.
IETF
RFC 7489
DMARC — Domain-based Message Authentication
Builds on SPF + DKIM. Defines the policy tags (p, sp, pct, rua, ruf, adkim, aspf, fo, ri) and the alignment rules between authenticated identifiers and the From: header.
IETF
BIMI v1
Brand Indicators for Message Identification
The BIMI specification. SVG Tiny PS logo profile, default._bimi selector, l= / a= record tags, and the VMC/CMC certificate requirement for rendering in Gmail and Yahoo.
BIMI Working Group
Feb 2024
Gmail & Yahoo sender requirements
From February 2024 every bulk sender (5,000+ messages/day to Gmail or Yahoo) must publish SPF, DKIM, and a DMARC policy. Without them, you stop reaching the inbox — full stop, no warning.
Google + Yahoo · joint announcement
Skill
The full audit logic — as a Claude Code skill
The exact checks this widget runs, packaged as a Claude Code skill. Install with one line and Claude runs the audit from your terminal — DKIM selector probing, BIMI SVG conformance, full VMC certificate validation.
github.com/pirxey/email-auth-audit
Mission control standing by

Want to know your project's real X-factor before we start?

We'll size your codebase, score your team's review and integration capacity, and give you a Pirxey number for your specific mission. Free. No slide deck.

Schedule a discovery call sales@pirxey.com
Pirxey · Aleja Grunwaldzka 472, 80-309 Gdańsk, Poland · 130+ engineers · 100+ missions delivered