Know your email is trusted, and stay that way.
Check any domain's email-authentication posture — SPF, DKIM, DMARC, MTA-STS, BIMI, and DNSSEC — in seconds. Then let AuthDrift watch it and alert you the moment it drifts.
Enter a bare domain — we strip any scheme and a leading www prefix for you.
Six checks, one clear verdict
AuthDrift inspects every layer of email authentication and rolls it up into a pass / warn / fail you can act on.
SPF
Parses your record and counts recursive DNS lookups against the RFC 7208 limit of 10 — the silent failure that breaks SPF for big senders.
DKIM
Probes declared and common selectors, checks key presence, length, and revocation — and learns your live selectors from DMARC reports.
DMARC
Reads your policy (p, sp, pct, alignment) and flags p=none — published, but enforcing nothing.
MTA-STS
Confirms the TXT record and that the policy file is actually reachable over HTTPS.
BIMI
Detects your BIMI record and that the referenced logo is reachable.
DNSSEC
Verifies the zone is signed, so your records can't be quietly forged in transit.
Set it once, hear from us only when it matters
Most outages start with a quiet DNS edit. AuthDrift turns that into a single, trustworthy alert.
Add your domains
Run the free check, then add the domains you care about. We audit each one instantly and set a baseline.
We watch continuously
AuthDrift re-scans on a schedule from multiple resolvers, comparing every snapshot against the last.
You get one alert on real drift
A confirmed change emails you a plain-English diff. Transient DNS glitches are filtered out, so no noise.
Drift detection you can actually trust
The hard part isn't spotting a change — it's not crying wolf. AuthDrift confirms every candidate change before it ever reaches your inbox.
- Multi-resolver quorum and a delayed re-check before any alert — false positives filtered out.
- Plain-English diffs: exactly what changed, in which record, and when it was confirmed.
- Flap control: no repeat alerts while a change is unresolved; a recurrence is treated as new.
- "Who's sending as you" — DMARC aggregate reports turned into authorized vs. unauthorized senders.
- Self-monitoring heartbeat, so you're told if scanning ever stalls.
Built for agencies and MSPs
Monitor client domains from one account, group them by client, and share reports with your branding plus the AuthDrift audit badge.
- Group domains by client and see each one's posture at a glance.
- Monthly reports with your logo, name, and accent color.
- Shareable, revocable, expiring read-only report links for clients.
- Slack and signed-webhook alert channels alongside email.
One launch plan while we validate the product
Every account has the same free limits during the MVP. Billing and paid plans come later.
- Up to 3 monitored domains
- Weekly monitoring
- 30-day posture history
- DMARC (RUA) report analysis
- Email, Slack, and webhook alerts
- Clients, share links, and branded report fields
No trial, checkout, or paid downgrade behavior during MVP.
Questions, answered
Do I need to sign up to run a check?
No. The public checker is free and needs no account — just enter a domain. You only sign up to monitor domains over time and get drift alerts.
How is this different from a one-off SPF/DMARC checker?
One-off checkers tell you the state right now. AuthDrift keeps watching and tells you the moment that state changes — confirmed, de-duplicated, and explained in plain English.
Why can't you always find my DKIM key?
DKIM selectors can't be enumerated from DNS, so we probe common defaults and let you supply your own. For monitored domains we also learn live selectors from your DMARC reports.
Where is my data hosted?
In the European Union. We hold as little personal data as the product allows, hash any IPs, and let an account owner hard-delete everything at any time. See the Privacy Policy.
Check your domain in ten seconds
See exactly where your email authentication stands — then let AuthDrift keep it that way.
Run a free check