Audit Your Email Authentication: SPF/DMARC Checks with checkdmarc

thumbnail

Why monitoring SPF and DMARC records matters?

For organizations managing 100+ domains, keeping SPF and DMARC records valid and consistent can quickly become a serious challenge. Each domain may be hosted on different registrars, managed by international teams, and include multiple third-party senders. A single typo, misconfigured include, or a number of include lookup increasing can silently invalidate a record, leaving legitimate messages unprotected or rejected.

Over my experience in the e-mail security field, I've seen many large companies having badly configured SPF/DMARC records - affecting their deliverability but also the risk of being impersonated. These records might look useless, but they play a huge role in how the world decides whether your emails are real or risky. Even today, many mail servers still rely heavily on SPF, DKIM, and DMARC to make spam and phishing decisions.

Commercial options

While there are commercial monitoring tools like MXToolbox, they can get pricey pretty quickly — especially if you’re tracking dozens or hundreds of domains. On top of that, they often offer little flexibility or customization. You’re usually limited to whatever dashboard or alerting rules they provide, which isn’t ideal if you want to integrate monitoring into your own workflows or reporting tools.

How can checkdmarc help?

checkdmarc is a Python library initiated by @seanthegeek that makes it easy to validate and analyze SPF, DKIM, and DMARC records directly from the command line or within your own scripts. It’s lightweight, open-source, maintained, and perfect for automating domain checks without relying on expensive external services. checkdmarc already checks many things related to domains such as:

  • SPF record validation (typos, >10 lookups or void lookups...)

  • DMARC record validation

  • BIMI, DNSSEC and much more...

Automating and Adding a GUI

checkdmarc works well on its own, but it is primarily a CLI tool and is typically run manually.

To streamline operations, you can wrap it in a FastAPI application or a similar framework to run it as a "Worker" service. Once set up, you can create a scheduled Job that periodically queries the Worker API for your existing domains. The Job's purpose is to perform regular scans, detect changes or misconfigurations, and notify the administrator via webhook, email, or any preferred communication channel.

Managing your domains is another key aspect. You can store them in an Excel file that the Job reads from, or develop a separate GUI to manage domain information more easily.

Stack that I've used

Regarding the stack, I kept Python for the Job, and used Loopback + VueJS for the GUI. Those two framework are still maintained and ensure a fast development of your monitoring tool.

Architecture proposed

architecture

Blog Details

Name: Ensuring your domains respect SPF & DMARC with checkdmarc
Author: Nicolas Zona
Date: 5 November 2025
Tags: checkdmarc, DMARC checker, SPF checker, email authentication

© Nicolas Zona | All Rights Reserved