DNS & Auth 8 min read

How to Audit SPF DKIM DMARC on a Burned Email Domain

Before deciding whether to recover or replace a burned domain, audit its authentication status. This determines whether configuration issues contributed to the burn.

You have a domain that was previously used for cold email and developed a bad reputation. Before you decide whether to try to recover it or replace it, you need to audit its current authentication status to understand whether configuration issues are contributing to the problem or whether it is purely a reputation issue.

Why the audit matters before any decision

When a domain is burned, it is tempting to assume everything is broken. But sometimes a burned domain has clean authentication and the problem is entirely reputation-based. Other times, authentication was misconfigured from the start and contributed to the burn. Knowing which situation you are in determines your recovery strategy — and whether recovery is even worth attempting.

SPF audit

Use the SPF checker to run through this checklist:

SPF audit checklist

  • Exactly one SPF record exists starting with v=spf1 — no duplicates
  • Record includes all current sending services (and only current services — remove old providers)
  • Total DNS lookups are at or below 10
  • No deprecated mechanisms like "ptr"
  • Missing includes for current sending services

DKIM audit

Use the DKIM checker with auto-discovery enabled:

DKIM audit checklist

  • DKIM record exists for your ESP's selector
  • DKIM key is at least 1024 bits (2048 recommended)
  • DKIM signing is actually enabled on your sending server — not just the DNS record
  • Test email confirms dkim=pass in headers
  • The d= value in the DKIM-Signature matches your From header domain

DMARC audit

Use the DMARC lookup:

DMARC audit checklist

  • DMARC record exists at _dmarc.yourdomain.com
  • rua tag is set to a monitored email address
  • Policy (p=) is appropriate for the domain's current situation
  • Alignment settings (aspf, adkim) are correct — relaxed is usually right

Cross-check: send a test email

Send a test email from each sending service you use and check headers for SPF PASS, DKIM PASS, and DMARC PASS using the placement test. Every sending source must pass all three. This is the only way to confirm end-to-end auth — DNS records that look right can still produce failing results if the sending server is misconfigured.

What the audit tells you

If authentication is broken, fix it first. Without clean authentication, no reputation recovery effort will work.

If authentication is already clean and the domain is burned purely due to reputation, the decision is whether to invest 4–8 weeks in reputation recovery or replace the domain with clean infrastructure.

Repair or replace?

For time-sensitive campaigns, WarmInboxes provides domains that are already audited, authenticated, and warmed, eliminating both the audit and the recovery process. Use the repair-or-replace calculator to make the final call based on your specific situation.

Run the checks first

Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.

Free inbox placement test Check burn score

More guides

SPF, DKIM, and DMARC for Cold Email: The Simple Fix GuideHow to Check if a DNS Error Is Killing Your DeliverabilityCold Email Setup Checklist: Domain, DNS, Tracking, and Sending Health