Free instant audit — no signup

Know your email is trusted, and stay that way.

Check any domain's email-authentication posture — SPF, DKIM, DMARC, MTA-STS, BIMI, and DNSSEC — in seconds. Then let AuthDrift watch it and alert you the moment it drifts.

Know your DKIM selector?

Optional. DKIM selectors can't be discovered from DNS, so we probe common defaults — add yours to verify a custom one. Separate multiple with commas.

Enter a bare domain — we strip any scheme and a leading www prefix for you.

Checking the domain's records…
The audit

Six checks, one clear verdict

AuthDrift inspects every layer of email authentication and rolls it up into a pass / warn / fail you can act on.

SPF

Parses your record and counts recursive DNS lookups against the RFC 7208 limit of 10 — the silent failure that breaks SPF for big senders.

DKIM

Probes declared and common selectors, checks key presence, length, and revocation — and learns your live selectors from DMARC reports.

DMARC

Reads your policy (p, sp, pct, alignment) and flags p=none — published, but enforcing nothing.

MTA-STS

Confirms the TXT record and that the policy file is actually reachable over HTTPS.

BIMI

Detects your BIMI record and that the referenced logo is reachable.

DNSSEC

Verifies the zone is signed, so your records can't be quietly forged in transit.

How it works

Set it once, hear from us only when it matters

Most outages start with a quiet DNS edit. AuthDrift turns that into a single, trustworthy alert.

Add your domains

Run the free check, then add the domains you care about. We audit each one instantly and set a baseline.

We watch continuously

AuthDrift re-scans on a schedule from multiple resolvers, comparing every snapshot against the last.

You get one alert on real drift

A confirmed change emails you a plain-English diff. Transient DNS glitches are filtered out, so no noise.

Drift detection you can actually trust

The hard part isn't spotting a change — it's not crying wolf. AuthDrift confirms every candidate change before it ever reaches your inbox.

  • Multi-resolver quorum and a delayed re-check before any alert — false positives filtered out.
  • Plain-English diffs: exactly what changed, in which record, and when it was confirmed.
  • Flap control: no repeat alerts while a change is unresolved; a recurrence is treated as new.
  • "Who's sending as you" — DMARC aggregate reports turned into authorized vs. unauthorized senders.
  • Self-monitoring heartbeat, so you're told if scanning ever stalls.

Built for agencies and MSPs

Monitor client domains from one account, group them by client, and share reports with your branding plus the AuthDrift audit badge.

  • Group domains by client and see each one's posture at a glance.
  • Monthly reports with your logo, name, and accent color.
  • Shareable, revocable, expiring read-only report links for clients.
  • Slack and signed-webhook alert channels alongside email.
Free during MVP

One launch plan while we validate the product

Every account has the same free limits during the MVP. Billing and paid plans come later.

No trial, checkout, or paid downgrade behavior during MVP.

FAQ

Questions, answered

Do I need to sign up to run a check?

No. The public checker is free and needs no account — just enter a domain. You only sign up to monitor domains over time and get drift alerts.

How is this different from a one-off SPF/DMARC checker?

One-off checkers tell you the state right now. AuthDrift keeps watching and tells you the moment that state changes — confirmed, de-duplicated, and explained in plain English.

Why can't you always find my DKIM key?

DKIM selectors can't be enumerated from DNS, so we probe common defaults and let you supply your own. For monitored domains we also learn live selectors from your DMARC reports.

Where is my data hosted?

In the European Union. We hold as little personal data as the product allows, hash any IPs, and let an account owner hard-delete everything at any time. See the Privacy Policy.

Check your domain in ten seconds

See exactly where your email authentication stands — then let AuthDrift keep it that way.

Run a free check