Last updated: April 2026
Each tool processes only what it needs to return your results. We don't store, log, or share the domain names or data you submit. Once a check is done, everything is discarded.
Your domain is used to run DNS lookups and email authentication checks. Nothing is stored.
Your domain is queried for DNS TXT records containing SPF data. Nothing is stored.
Your domain is queried at known DKIM selector subdomains (e.g. google._domainkey.{domain}). Queries run client-side via Google DNS-over-HTTPS. Nothing is stored.
Your domain is queried at default._bimi.{domain}. Nothing is stored.
We run DNSSEC validation queries via Google and Cloudflare resolvers. Nothing is stored on our servers.
Your domain is queried at _mta-sts.{domain} and the policy file is fetched at https://mta-sts.{domain}/.well-known/mta-sts.txt. Nothing is stored.
Your domain is queried at _smtp._tls.{domain} and _mta-sts.{domain}. Nothing is stored.
Your domain is sent to RDAP services to retrieve publicly available registration data. Nothing is stored.
The domain or IP address you enter is queried against known email blacklist services (RBLs). Nothing is stored.
Your domain is queried against multiple DNS resolvers worldwide to check propagation status. Nothing is stored.
Headers you paste are sent to our server for parsing and immediately discarded. They're never stored or logged. Headers may contain email addresses, but we use them only to return the analysis.
Bounce messages you paste are sent to our server for parsing and immediately discarded. They're never stored or logged. Messages may contain email addresses, but we use them only to return the analysis.
The SPF builder runs entirely in your browser. Nothing is sent to our servers unless you submit a support request.
The DMARC builder runs entirely in your browser. Nothing is sent to our servers unless you submit a support request.
We use your input only to return your results. We don't save it, profile you, or share it with anyone. Each check starts clean.
We check your domain using DNS queries via Google's DNS-over-HTTPS service. We send only the domain name, never any personal information.
We use Cloudflare Turnstile to block bots. It checks browser signals to confirm you're human but doesn't collect personal data. Cloudflare's privacy policy applies: cloudflare.com/privacypolicy.
We use Google Analytics to understand which tools get the most use. Your IP is anonymised before anything is sent, and we never share the domain names you check with Google. Opt out anytime: tools.google.com/dlpage/gaoptout.
Questions about privacy? Email us at [email protected] or visit osh.co.za/contact.