All guides

How to check if your domain is vulnerable to spoofing

Email spoofing means someone sends an email that appears to come from your domain without your permission. Without proper authentication, any domain is vulnerable. Here is how to check yours.

What makes a domain vulnerable

Your domain is vulnerable to spoofing if any of the following is true:

  • No DMARC record exists at _dmarc.yourdomain.com
  • DMARC policy is p=none (monitoring only, no enforcement)
  • No SPF record exists, or the SPF record does not end with -all
  • DKIM is not configured for your primary sending domain

How to check in 30 seconds

Use the free domain check tool on this site. Enter your domain and you will instantly see:

  • Whether a DMARC record exists and what policy it sets
  • Whether your SPF record is valid and within the lookup limit
  • Whether DKIM keys are published
  • An overall security score from 0 to 100
Check my domain — free

Understanding the results

Score 80–100: Your domain has strong email authentication. You are well protected against spoofing.

Score 50–79: Partial protection. Some authentication methods are in place but the policy is not at full enforcement. Spoofing is still possible.

Score below 50: Significant gaps exist. Your domain can likely be spoofed by anyone right now.

What to do if your domain is vulnerable

  1. If no DMARC: Add a p=none record first to start collecting reports, then gradually move to p=quarantine and p=reject.
  2. If no SPF: Add an SPF record listing all your email senders.
  3. If DKIM is missing: Enable DKIM in your email provider's admin panel and publish the DNS key they give you.

Use the DMARC generator on the check page to create a correctly formatted record ready to paste into your DNS.

Get a full report on your domain's email security posture in seconds.

Check my domain — free