Can someone spoof email from your domain?
Enter your domain and find out in seconds whether criminals can send phishing that looks like it came from you — with your SPF, DKIM and DMARC checked and the exact DNS records to fix any gap.
Free · no signup · we read your public DNS records (SPF, DKIM, DMARC). Nothing is sent and nothing is stored.
What each record does
- SPF — a DNS list of the servers allowed to send mail for your domain. End it with
~allor-allso unlisted servers are flagged or rejected. - DKIM — a cryptographic signature added to every message, so receivers can prove it genuinely came from you and wasn’t tampered with in transit.
- DMARC — the policy that ties SPF and DKIM together and tells receiving servers what to do with mail that fails. It’s the only one that protects the visible From address, and it must be set to
quarantineorrejectto actually block spoofing.
A domain with all three, ending in an enforced DMARC policy, is very hard to impersonate. A domain missing DMARC (or stuck onp=none) can be spoofed by anyone — which is exactly how business email compromise and fake-invoice scams start.
How to fix a spoofable domain
The fix is always a set of DNS TXT records at your domain registrar or DNS host — no code, no downtime. The safe order is:
- Publish SPF listing every service that sends mail for you (your mailbox provider, marketing tool, helpdesk), ending in
~all. - Turn on DKIM in your email provider and publish the key they give you.
- Add DMARC at
p=nonewith arua=reporting address, watch the reports for a week or two to confirm your real mail passes, then move top=quarantineand finallyp=reject.
The checker above gives you a ready-to-paste starting record for anything you’re missing. If you’d rather someone handle the whole security picture, our $49 manual audit covers your website end to end.
Common questions
What is an email spoofing checker?
How can someone send email that looks like it’s from my domain?
What’s the difference between SPF, DKIM and DMARC?
Is a DMARC policy of “none” enough?
Is this email security test free?
Does good email authentication mean my website is secure?
Keep reading
Locked down your email? Now check your website.
A human security engineer audits your whole site by hand — access control, auth, injection, logic bugs — and sends a full report from $49.