How it works

The process

  1. You get a unique address. When you open the page, a random UUID is generated and combined with our testing subdomain (e.g. [email protected]).
  2. You send an email to it. Use any email client or mail server you want to test — Outlook, Gmail, your own server, etc.
  3. Cloudflare receives it. Our MX records point to Cloudflare's email infrastructure, which stamps the message with Authentication-Results headers containing SPF, DKIM, and DMARC verdicts.
  4. Our worker processes it. A Cloudflare Worker parses the headers, looks up DNS records, performs a reverse DNS (PTR) lookup on the sender's IP, and fetches GeoIP data.
  5. Results appear on screen. The worker stores results in Cloudflare KV (deleted after 30 minutes). Your browser polls for the result every 3 seconds and displays it automatically.

What each check means

SPF — Sender Policy Framework
Checks whether the IP address that sent the email is listed as an authorized sender for the envelope-from domain. A domain publishes a DNS TXT record listing its permitted sending IPs. If the sending IP isn't in that list, SPF fails.
DKIM — DomainKeys Identified Mail
Verifies a cryptographic signature added to the email by the sending server. The public key is published in DNS at selector._domainkey.domain. If the signature doesn't match, the message may have been altered in transit or the key has changed.
DMARC — Domain-based Message Authentication Reporting and Conformance
Combines SPF and DKIM results and checks that at least one of them aligns with the visible From address. The domain owner publishes a policy (p=none, p=quarantine, or p=reject) that tells receivers how to handle failures.
PTR — Pointer record (reverse DNS)
A PTR record maps an IP address back to a hostname. Legitimate mail servers almost always have a PTR record that matches their forward hostname. Missing or mismatched PTR records increase the likelihood of messages being flagged as spam.

Privacy

  • Email contents are never stored — only authentication headers and metadata.
  • Results are stored in Cloudflare KV with a 30-minute TTL and then permanently deleted.
  • No account is required and no personal information is collected.
  • Each test address is single-use and randomly generated.