Verify Email Authentication with Gmail

Egg Harbor Township Municipal Government requires all emails sent to us to pass three security checks: SPF, DKIM, and DMARC. These checks help protect us from phishing attacks and email fraud. Services like Gmail are more lenient and will accept a message as long as it passes either SPF or DKIM, even if one of them fails. We do not allow that. If any one of these three checks fails, the email will be rejected and will not reach us.

Proper email authentication protects your domain from spoofing and improves deliverability. Gmail's built-in Show Original feature lets you inspect the raw headers of any received message to confirm all three records pass.

SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) DMARC (Domain-based Message Authentication)

  1. Send a test email from your domain

    Using your domain's email account (e.g. you@yourdomain.com), compose and send any message to a personal Gmail address you control. The subject and body content do not matter.

    Tip: Send it to a Gmail account, not another domain. Gmail exposes the full authentication headers needed for this check.

  2. Open the email in Gmail

    Log in to the personal Gmail account that received the message at mail.google.com and open the email.

  3. Click the three-dot menu (⋮) on the email

    In the top-right corner of the open email (not the Gmail window toolbar, but the message itself), click the vertical ellipsis (⋮) icon (three dots stacked).

    Where to look: The ⋮ icon is on the same line as the sender's name and the timestamp, to the far right of the message header area.

  4. Select "Show original"

    A dropdown menu appears. Click Show original near the bottom of the list. A new browser tab opens displaying the raw email headers and message source.

  5. Read the authentication summary at the top

    Gmail displays a color-coded summary table at the very top of the "Original Message" page before the raw headers. Look for these three rows:

    • SPF: Should show PASS
    • DKIM: Should show PASS
    • DMARC: Should show PASS (DMARC uses SPF/DKIM)

Additional Verification Tools

For a more thorough test, send a test email directly to one of these services and they will report exactly which checks pass or fail:

  • dkimvalidator.com generates a unique address to send to and returns a detailed SPF, DKIM, and DMARC report.
  • appmaildev.com is a similar send-and-check service with a clear pass/fail summary for each authentication record.

To check for broader misconfigurations beyond email, including TLS, HTTPS, and DNS security settings:

  • hardenize.com Enter your domain and receive a comprehensive security report covering SPF, DKIM, DMARC, MTA-STS, DNSSEC, TLS, and more.