Email / DMARC Checker
Can attackers send email as your domain? We read your SPF, DMARC, DKIM and MX records and tell you, in plain terms, whether your domain is spoofable — and exactly what to publish to fix it.
This tool reads publicly available configuration (HTTP response headers). It performs no intrusive testing. Only scan domains you own or are authorized to assess.
What SPF, DKIM and DMARC actually do
Email was never built with authentication, so by default anyone can send a message that claims to come from your domain. SPF, DKIM and DMARC are the three DNS records that close that gap.
SPF lists which servers may send mail for your domain. DKIM cryptographically signs your outgoing mail so receivers can verify it wasn’t forged. DMARC ties the two together and tells receiving servers what to do with mail that fails — and where to send reports.
Without an enforced DMARC policy, a phisher can spoof your domain to your customers, staff or suppliers. This checker reads the public DNS records for a domain and tells you which of the four are present, weak, or missing — with the exact record to publish.
How to stop your domain being spoofed
Publish these DNS records at your provider, in order, and re-test after each:
- SPF: a single TXT record listing your senders, ending in -all (hard fail) once you’re confident, e.g. v=spf1 include:_spf.google.com -all.
- DKIM: enable signing at your mail provider and publish the TXT record it gives you at the selector (e.g. google._domainkey).
- DMARC: a TXT record at _dmarc.yourdomain — start with v=DMARC1; p=none; rua=mailto:you@yourdomain to collect reports, then move to p=quarantine and finally p=reject.
- Keep SPF and DKIM aligned with the From domain so DMARC passes.
Frequently asked questions
What does this checker look at?
It reads four public DNS record types for the domain: SPF (TXT), DMARC (TXT at _dmarc), DKIM (TXT at common selectors) and MX. It makes no connection to your mail server and sends no email.
My domain has SPF but still shows a warning — why?
SPF alone doesn’t stop spoofing of the visible From address. You also need an enforced DMARC policy (p=quarantine or p=reject). The result explains exactly which piece is missing.
Is p=none good enough?
No. p=none only monitors — it tells receivers to take no action on spoofed mail. It’s a useful first step to collect reports, but real protection starts at p=quarantine and p=reject.
Does a missing DKIM record mean I’m exposed?
Not on its own, but DKIM is what lets receivers cryptographically verify your mail and is required for strong DMARC alignment. We probe the common selectors; if your provider uses a custom one we may not see it.