Email Deliverability: How to Verify DKIM with Port25 and Mail-Tester

by

You have configured SPF, signed your messages with DKIM, and set up DMARC. So, why are your emails still going to the spam folder?

The gap between “theory” (having records) and “reality” (landing in the inbox) is often invisible to the naked eye. You cannot guess how a receiving server sees your email; you have to verify it using diagnostic tools.

In this post, we are going to look at two of the most reliable free tools for this—Port25 and Mail-Tester—and explain why Reverse DNS (rDNS) is the silent gatekeeper of the modern inbox.

The “Spam Folder” Diagnosis: Using Mail-Tester

If you want a quick, visual “score” for your email health, Mail-Tester.com is the industry standard. It acts like a normal spam filter but gives you a report card.

How to use it :

  1. Go to Mail-Tester.com.
  2. You will see a unique, randomized email address (e.g., test-abc123@mail-tester.com).
  3. Send your email campaign or transactional message exactly as a real user would receive it to that address.
  4. Wait 10 seconds and refresh the page.

What you learn:
The tool gives you a score out of 10. It breaks down exactly why points were deducted. This is where you will catch missing DKIM signatures, broken SPF syntax, or “spammy” words in your content. If your DKIM fails here, it is broken—period .

The Technical Deep Dive: Port25 (The “Auth” Verifier)

While Mail-Tester is great for content, Port25 is the gold standard for authentication verification. It is run by a major email infrastructure company and is trusted by postmasters worldwide.

Unlike Mail-Tester, you don’t visit a website to see the results. You communicate via email.

How to use Port25 :

  1. Compose a new email.
  2. Address it to: check-auth@verifier.port25.com
  3. Send the email from the exact server and domain you are troubleshooting.

The result:
Within a minute, you will receive an automated email back. Look for the “Summary of Results” section. You are looking for this exact output:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

If you see DKIM check: pass, your cryptography is working. If you see fail, your DNS records are mismatched, or your mail server isn’t signing the mail properly .

The “First Impression”: Why Reverse DNS (rDNS) Matters

You can pass DKIM and SPF perfectly, but if your rDNS fails, major providers like Gmail and Outlook will still treat you with suspicion.

What is it?
Forward DNS turns a name (google.com) into an IP (172.217.1.46). Reverse DNS turns that IP back into a name. That name is stored in a PTR record .

Why is it critical for delivery?
Receiving servers do a “trust check” when you connect to them via SMTP (Port 25). They look at your IP address, ask “What is the name of this IP?”, and then ask “Does that name match the sending domain?” .

  1. FCrDNS (Forward-Confirmed Reverse DNS): This is the gold standard. Your IP resolves to mail.yourdomain.com, and mail.yourdomain.com resolves back to that same IP. Spammers cannot fake this because they don’t control your DNS .
  2. The Spam Folder: If your IP has no PTR record, or if the PTR points to dynamic-ip-123.isp.com (a generic residential IP pattern), Gmail will likely block you or throw you into spam immediately .

Pro Tip: You cannot set your own rDNS/PTR records in a web interface like Cloudflare. You must ask your hosting provider (DigitalOcean, AWS, OVH, etc.) to set the PTR record for your IP address to match your sending domain .

The Perfect Handshake

For an email to land in the primary inbox, three things must align:

  1. The Envelope (rDNS/PTR): The IP address says, “My name is mail.company.com.”
  2. The Signature (DKIM): The email contains a cryptographic signature linked to “company.com.”
  3. The Permission (SPF): The IP is listed as an authorized sender for “company.com.”

Your Action Plan:

  • Today: Send an email to check-auth@verifier.port25.com. If DKIM fails, fix your DNS.
  • This Week: Call your hosting provider and ask, “Is my PTR record set to my sending domain, and does it have FCrDNS?”

Stop guessing why your deliverability is low. Use the bots to tell you exactly what is broken.