How to check if your domain is vulnerable to spoofing
Email spoofing means someone sends an email that appears to come from your domain without your permission. Without proper authentication, any domain is vulnerable. Here is how to check yours.
What makes a domain vulnerable
Your domain is vulnerable to spoofing if any of the following is true:
- No DMARC record exists at
_dmarc.yourdomain.com - DMARC policy is
p=none(monitoring only, no enforcement) - No SPF record exists, or the SPF record does not end with
-all - DKIM is not configured for your primary sending domain
How to check in 30 seconds
Use the free domain check tool on this site. Enter your domain and you will instantly see:
- Whether a DMARC record exists and what policy it sets
- Whether your SPF record is valid and within the lookup limit
- Whether DKIM keys are published
- An overall security score from 0 to 100
Understanding the results
Score 80–100: Your domain has strong email authentication. You are well protected against spoofing.
Score 50–79: Partial protection. Some authentication methods are in place but the policy is not at full enforcement. Spoofing is still possible.
Score below 50: Significant gaps exist. Your domain can likely be spoofed by anyone right now.
What to do if your domain is vulnerable
- If no DMARC: Add a
p=nonerecord first to start collecting reports, then gradually move top=quarantineandp=reject. - If no SPF: Add an SPF record listing all your email senders.
- If DKIM is missing: Enable DKIM in your email provider's admin panel and publish the DNS key they give you.
Use the DMARC generator on the check page to create a correctly formatted record ready to paste into your DNS.
Get a full report on your domain's email security posture in seconds.
Check my domain — free