Is your domain spoofable?

Email spoofing is when someone sends an email that appears to come from your domain, but was not actually sent by you. Attackers use this to impersonate your company, trick your clients into sharing sensitive information, or commit fraud. Without proper email authentication (SPF, DMARC, DKIM), most domains are vulnerable to this.

These are three DNS records that work together to protect your domain from email spoofing. SPF lists which servers are allowed to send email for your domain. DKIM adds a digital signature to prove emails have not been tampered with. DMARC tells receiving servers what to do when an email fails SPF or DKIM checks: deliver it, quarantine it, or reject it.

A DMARC policy of "none" means your domain is in monitoring mode only. You may be collecting reports about who sends email as you, but fake emails are still delivered to recipients normally. To actually block spoofed emails, you need to move to "quarantine" (sends fakes to spam) or "reject" (blocks them entirely).

The exact steps depend on your current setup. In general: ask your email provider or IT team to publish an SPF record with "-all", configure DKIM signing, and set a DMARC policy of "reject" or "quarantine". If you need help, we can walk you through it. Enter your email above to get a detailed report with specific instructions for your domain.

Yes, completely free with no account required. The check runs entirely in your browser using public DNS records. We do not store your results. If you want a more detailed analysis or help fixing your configuration, you can request a full report or contact us directly.