A practical checklist to diagnose and improve email deliverability using DNS lookups for MX, SPF, DKIM, and DMARC—plus PTR and port checks.

Email Deliverability 101: DNS, SPF, DKIM, DMARC in One Checklist

Audience: Email admins, IT/helpdesk, marketers
Goal: Quickly verify the DNS pieces that determine if your mail lands in inboxes.

The four pillars

• MX: Where mail should be delivered for a domain.
• SPF: Which IPs/hosts may send mail for a domain.
• DKIM: Cryptographic signing of messages by the sender domain.
• DMARC: Policy + reporting on alignment of SPF/DKIM with the visible “From.”

Fast deliverability checklist

1. MX Lookup: Confirm MX records exist, point to the right provider, and have sensible priorities. Ensure corresponding A/AAAA records resolve.
2. SPF (TXT): Check the domain’s SPF TXT. Avoid multiple SPF records; keep under 10 DNS lookups (include/a/mx/ptr/exists). Ensure your sending IPs/hosts are covered.
3. DKIM: For each selector, retrieve selector._domainkey.example.com. Confirm the public key is present and valid; rotate keys periodically.
4. DMARC: Check _dmarc.example.com. Start with p=none + reporting (rua=) to observe. Move to p=quarantine/reject once aligned.
5. PTR (rDNS) for sending IPs: Ensure reverse DNS matches the forward hostname in your SMTP banner; lack of PTR can hurt reputation.
6. Port reachability: From outside, test inbound 25/587/465 to your MX target (mind ISP blocks). If blocked, receiving will fail.

Interpreting common issues

• SPF “permerror” or too many lookups: Consolidate includes; remove unused mechanisms; avoid ptr and broad exists.
• DKIM fails intermittently: Key not published, selector mismatch, or body canonicalization differences. Regenerate and republish the key; verify selector in headers.
• DMARC alignment fails: Visible From domain doesn’t match SPF/DKIM authenticated domain; use aligned sender or aligned DKIM signing domain.
• Mail goes to spam despite records: Reputation/engagement matters; check content, volume spikes, blocklists, and IP/domain age.

Safe rollout strategy

• Start DMARC at p=none with reports; observe for 1–2 weeks.
• Fix alignment gaps (forwarders, 3rd-party senders) before tightening to quarantine/reject.
• Maintain a list of all sending services and ensure SPF/DKIM coverage for each.

Data to capture for support

• Sample message headers (showing SPF/DKIM/DMARC results)
• SPF record content; DMARC record; DKIM selector and public key
• MX records and the IP/host actually connecting
• PTR of the sending IP; any blocklist hits

Where your tools fit

• MX Lookup: Verify routing and priorities.
• DNS Lookup: Retrieve SPF (TXT), DKIM (selector TXT), DMARC, A/AAAA.
• IP to Hostname (PTR): Confirm reverse DNS for sending IPs.
• Open Port Checker: Verify inbound 25/587/465 reachability from outside.
• Hostname to IP / IP Information: Confirm resolved IPs and hosting/ASN.

Bottom line

Deliverability hinges on correct DNS signals and alignment. Validate MX, SPF, DKIM, DMARC, ensure PTR is set, and verify ports are open. Monitor and iterate before enforcing strict policies.