Q: Does this tool log my queries?

Digital Heroes doesn't log — the tool runs in your browser. Cloudflare DoH logs anonymized queries per their resolver privacy policy.

Question 1

What do SPF, DKIM, and DMARC do?

Accepted Answer

Three layers of email authentication that prevent spoofing. SPF (Sender Policy Framework) is a list of IPs / hostnames allowed to send email From your domain — receivers reject anything from a non-listed sender. DKIM (DomainKeys Identified Mail) is a cryptographic signature on each outgoing email, proving the email wasn't tampered with after sending and that your domain's private key signed it. DMARC tells receivers what to do when SPF or DKIM fails: monitor (none), quarantine (spam folder), or reject (delete). All three together are the email-deliverability triple-lock — Gmail and Yahoo started enforcing them in February 2024.

Question 2

What's the SPF mechanism count limit?

Accepted Answer

SPF records are limited to 10 DNS lookups. Each include: directive counts as 1 lookup. Most SPF records use includes for vendor IPs (Google Workspace, Microsoft 365, Mailchimp, Klaviyo, etc.) — pile up too many and your SPF exceeds the 10-lookup limit, causing receivers to fail open with a permerror. The validator counts your includes; if you're at 8+, plan SPF flattening or vendor consolidation. Most email-auth bugs trace back to over-quota SPF.

Question 3

Why does DMARC need a selector for DKIM?

Accepted Answer

DKIM keys are stored at selector._domainkey.yourdomain.com — the selector is a string the sender chooses (e.g., 'google', 'k1', 'mc20240419'). Without knowing the selector, the tool can't query the DKIM record. Most senders publish the selector in their DKIM-Signature header (the s= parameter). The most common selectors: 'google' for Google Workspace, 'selector1' / 'selector2' for Microsoft 365, 'k1' / 'k2' for Mailchimp, 'dkim' generic. Try one of these; if it returns nothing, ask your email vendor.

Question 4

Should DMARC policy be 'reject' or 'quarantine'?

Accepted Answer

Aim for reject — it's the strictest, instructs receivers to drop unauthenticated mail, and prevents spoofed phishing entirely. Start with 'none' for monitoring (no action, just reports), then move to 'quarantine' (spam folder), then 'reject' (deleted) once you're sure your legitimate mail authenticates correctly. The progression takes 4-8 weeks for most teams. The validator flags 'p=none' as a warning since it's not actually protective — just observation mode.

Question 5

What's pct= in DMARC?

Accepted Answer

pct=N controls what percentage of unauthenticated mail gets the policy applied. pct=10 means only 10% of failing mail gets quarantined / rejected; the other 90% gets policy=none (delivered with reports). Useful for gradual rollout: pct=10 → pct=50 → pct=100. The validator flags pct < 100 as 'partial enforcement' so you don't ship pct=10 forever and forget about it.

Question 6

Does this tool log my queries?

Accepted Answer

Digital Heroes doesn't log — the tool runs in your browser. Cloudflare DoH logs anonymized queries per their resolver privacy policy.

SPF, DKIM, DMARC checker. Email shield triple.

Six questions users ask.

DNS cluster.

MX Record Checker

CNAME Lookup

DNS Propagation

IP Lookup

WHOIS Lookup

SEO service