You've configured SPF. You've set up DKIM. You've published a DMARC record. But is your email actually authenticating correctly?
There's only one way to find out: send a real email and see what happens.
Today we're releasing the SenderClarity Email Investigation tool — a free, no-account-required service that tests your email authentication in real time and gives you an instant deliverability score with actionable recommendations to fix any issues.
Why We Built This
Every week we hear from organizations that have "set up DMARC" but have no idea whether it's actually working. They published the DNS records, checked a box, and moved on. Months later they discover their marketing emails are landing in spam, their DKIM signatures are failing because of a key rotation they forgot about, or their SPF record silently broke when they hit the 10-lookup limit.
The existing tools don't help much. Most SPF and DKIM checkers only query DNS records — they tell you whether a record exists, not whether your email actually passes authentication when it reaches a real mail server. That's like checking that you have a lock on your front door without ever testing whether the key works.
The Email Investigation tool closes that gap. It tests what receivers actually see when your email arrives.
How It Works
The process takes about 60 seconds:
1. Start an investigation
Visit the Email Investigation tool and click "Start Investigation." No account, no sign-up, no credit card.
2. Send a test email
We generate a unique probe address for your test — something memorable like bright.coral.falcon@inv.senderclarity.com. Copy the address and send a normal email to it from the system you want to test. Use your regular email client, your marketing platform, your transactional email service — whatever you want to verify.
3. Get your results
Within seconds of your email arriving, we parse the full authentication chain and present your results: an overall score, a letter grade, and pass/fail status for every authentication protocol.
What the Tool Analyzes
This isn't a DNS lookup. When your test email arrives at our servers, we extract and evaluate the actual authentication results that receiving mail servers produce — the same checks that determine whether your email reaches the inbox or gets flagged as spam.
SPF (Sender Policy Framework)
We check whether the sending server's IP address is authorized by your domain's SPF record. The results show:
- Pass, fail, softfail, neutral, or error status
- The domain used for the SPF check
- Your full SPF record for reference
If SPF fails, it usually means a sending service's IP isn't included in your SPF record — a common issue when adding new email tools or migrating providers.
DKIM (DomainKeys Identified Mail)
We verify the cryptographic signature attached to your email, confirming the message wasn't altered in transit and came from an authorized sender. You'll see:
- Signature verification result
- The DKIM selector used (e.g.,
google,selector1,s1) - The signing domain
- Key strength analysis — if you're still using 1024-bit keys, we'll flag it
DMARC (Domain-based Message Authentication, Reporting & Conformance)
We evaluate your DMARC policy and check alignment between SPF/DKIM and your From header domain. The analysis includes:
- DMARC pass or fail result
- Your current policy (
none,quarantine, orreject) - SPF alignment status
- DKIM alignment status
- Your full DMARC record
This is where many organizations discover a surprise: SPF and DKIM both pass, but DMARC still fails because of an alignment mismatch — typically a third-party service signing with their domain instead of yours.
ARC (Authenticated Received Chain)
For forwarded messages, we validate the ARC chain that preserves authentication results across mail hops. This matters when email passes through mailing lists, forwarding services, or security gateways that break traditional SPF.
Infrastructure Analysis
Beyond the authentication protocols, we check your sending infrastructure:
- Reverse DNS (PTR record) — Whether your sending IP has a valid reverse DNS entry. Missing reverse DNS is a deliverability red flag that many senders overlook.
Your Deliverability Score
Every investigation produces a score from 0 to 100, broken down across four categories:
| Category | Max Points | What's Measured |
|---|---|---|
| SPF | 25 | Record exists, check passes, alignment |
| DKIM | 30 | Signature present, verification passes, alignment |
| DMARC | 30 | Record exists, check passes, enforcing policy, reporting configured |
| Infrastructure | 15 | Reverse DNS, ARC validation |
The score maps to a letter grade:
| Grade | Score | Meaning |
|---|---|---|
| A+ | 95–100 | Excellent — full authentication with enforcement |
| A | 90–94 | Strong — minor improvements possible |
| B | 80–89 | Good — a few gaps to address |
| C | 70–79 | Fair — notable issues affecting deliverability |
| D | 60–69 | Below average — significant problems |
| F | Below 60 | Poor — critical authentication failures |
Personalized Recommendations
The score tells you where you stand. The recommendations tell you what to do about it.
Based on your specific results, the tool generates a targeted list of fixes. These aren't generic advice — they're tied to what actually failed in your test:
- SPF record missing? We tell you exactly what to publish.
- DKIM failing? We identify whether it's a missing selector, a key size issue, or an alignment problem.
- DMARC policy set to
none? We explain how to safely advance toquarantineand thenreject. - No RUA reporting tag? We explain why aggregate reports matter and how to add one.
- Missing reverse DNS? We explain the deliverability impact and what to configure.
Most investigations produce 3 to 7 recommendations, prioritized by impact.
Free for Everyone
The Email Investigation tool is free and requires no account. The basic report — score, grade, and authentication results — is available to anyone, anytime.
For the full detailed report with recommendations, enter your email address and we'll unlock it instantly. That's it. No trial, no commitment, no follow-up sales calls.
Rate limits: 5 investigations per hour, 10 per day per IP address. That's plenty for testing your email systems — and it keeps the tool fast and available for everyone.
What This Means for Your Email
If you're scoring below 80, your email deliverability is at risk. Inbox providers like Google, Yahoo, and Microsoft use exactly these authentication signals to decide whether your messages reach the inbox, land in spam, or get rejected outright.
Since Google and Yahoo began enforcing DMARC requirements for bulk senders in 2024 — with Microsoft following in 2025 — having broken or missing authentication isn't just a best-practice gap. It's a deliverability problem that directly affects whether your customers see your emails.
A quick investigation can reveal issues you didn't know you had. We've seen organizations discover:
- SPF records that silently exceeded the 10-lookup limit after adding a new SaaS tool
- DKIM keys that were never rotated from the default 1024-bit size
- DMARC alignment failures caused by third-party senders signing with their own domain
- Missing reverse DNS on dedicated sending IPs that had been configured years ago
Each of these issues is fixable in minutes once you know about it. The Email Investigation tool surfaces them in seconds.
From Investigation to Continuous Monitoring
The Email Investigation tool gives you a point-in-time snapshot. It answers "is my email authenticating right now?" — which is exactly the right place to start.
But email authentication isn't a set-and-forget configuration. DNS records change, vendors update their sending infrastructure, team members add new services, and what passed yesterday can fail tomorrow.
That's what SenderClarity is for. Our platform monitors your SPF, DKIM, DMARC, and BIMI records continuously and alerts you — via Slack, Microsoft Teams, or email — the moment something changes or breaks. You get the same plain-English guidance and actionable recommendations, delivered around the clock.
If your investigation uncovers issues, the free tool helps you fix them today. SenderClarity makes sure they stay fixed.
Or explore the rest of our free toolkit:
- SPF Checker — Validate your SPF record and count DNS lookups
- DKIM Checker — Verify DKIM selectors and key strength
- DMARC Checker — Analyze your DMARC policy and reporting setup
- Email Security Learning Center — Plain-English guides to SPF, DKIM, and DMARC
The Email Investigation tool is built by SenderClarity, a DMARC monitoring platform from CloudScope. We've been building enterprise email and analytics solutions for over 25 years — and we believe every organization deserves to know whether their email is reaching the inbox.
Rating
Comments
Be the first to post a comment!