Free tool · no signup

Can someone spoof email from your domain?

Enter your domain and find out in seconds whether criminals can send phishing that looks like it came from you — with your SPF, DKIM and DMARC checked and the exact DNS records to fix any gap.

Free · no signup · we read your public DNS records (SPF, DKIM, DMARC). Nothing is sent and nothing is stored.

Why this matters: email lets a sender type anything in the “From” line. Three DNS records — SPF, DKIM and DMARC — are what stop attackers using your exact domain to send invoice fraud and phishing to your customers and staff. The one that actually protects the visible sender is DMARC, and only when its policy is quarantine or reject. This free tool reads all three and tells you, plainly, whether your domain is exposed.

What each record does

  • SPF — a DNS list of the servers allowed to send mail for your domain. End it with ~all or -all so unlisted servers are flagged or rejected.
  • DKIM — a cryptographic signature added to every message, so receivers can prove it genuinely came from you and wasn’t tampered with in transit.
  • DMARC — the policy that ties SPF and DKIM together and tells receiving servers what to do with mail that fails. It’s the only one that protects the visible From address, and it must be set to quarantine or reject to actually block spoofing.

A domain with all three, ending in an enforced DMARC policy, is very hard to impersonate. A domain missing DMARC (or stuck onp=none) can be spoofed by anyone — which is exactly how business email compromise and fake-invoice scams start.

How to fix a spoofable domain

The fix is always a set of DNS TXT records at your domain registrar or DNS host — no code, no downtime. The safe order is:

  • Publish SPF listing every service that sends mail for you (your mailbox provider, marketing tool, helpdesk), ending in ~all.
  • Turn on DKIM in your email provider and publish the key they give you.
  • Add DMARC at p=none with a rua= reporting address, watch the reports for a week or two to confirm your real mail passes, then move to p=quarantine and finally p=reject.

The checker above gives you a ready-to-paste starting record for anything you’re missing. If you’d rather someone handle the whole security picture, our $49 manual audit covers your website end to end.

Common questions

What is an email spoofing checker?
An email spoofing checker inspects your domain’s DNS records — SPF, DKIM and DMARC — and tells you whether an attacker can send email that appears to come from your address. These three records are how the receiving mail server decides if a message claiming to be from you is genuine. If they are missing or misconfigured, criminals can send phishing and invoice-fraud emails using your exact domain in the “From” line, and the recipient’s inbox will show them as legitimate. Our free tool reads those records and gives you a clear verdict plus the exact fix.
How can someone send email that looks like it’s from my domain?
The classic email protocol lets a sender write anything they want in the visible “From” address — there is no built-in check. SPF, DKIM and DMARC were added on top to close that gap. SPF lists which servers may send mail for your domain; DKIM cryptographically signs your messages; and DMARC ties them together and tells receivers what to do with mail that fails — including forged mail using your exact domain. Without an enforced DMARC policy (quarantine or reject), that forged mail sails straight into inboxes.
What’s the difference between SPF, DKIM and DMARC?
SPF (Sender Policy Framework) is a DNS list of the servers allowed to send email for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature so a receiver can verify a message really came from you and wasn’t altered. DMARC sits on top of both: it tells receiving servers what to do when a message fails SPF and DKIM checks (do nothing, send to spam, or reject), and it is the only one of the three that actually protects the visible “From” address people see. You want all three, ending with DMARC set to quarantine or reject.
Is a DMARC policy of “none” enough?
No. DMARC “p=none” only monitors — it collects reports but tells receiving servers to take no action, so spoofed mail using your domain is still delivered. It’s a fine first step while you confirm your legitimate mail passes, but it does not stop spoofing. The protection only kicks in at p=quarantine (forged mail goes to spam) and, best of all, p=reject (forged mail is blocked). Our checker tells you which policy you’re on and how to move up safely.
Is this email security test free?
Yes — free, no signup, full result. Enter your domain and you get the spoofability verdict, the state of your SPF, DKIM and DMARC, and the exact records to add. We build these free tools because they’re useful and because they show small businesses what we do: a full, human security audit of your website for a one-time $49.
Does good email authentication mean my website is secure?
No — they’re different doors. SPF, DKIM and DMARC protect your email from being impersonated. They do nothing about your website’s own vulnerabilities — broken access control, weak authentication, injection, logic bugs — which are what actually get sites breached. Fixing your email records is important and quick; securing the website itself is a separate job that needs a human to test it. That’s our $49 manual audit.

Keep reading

Locked down your email? Now check your website.

A human security engineer audits your whole site by hand — access control, auth, injection, logic bugs — and sends a full report from $49.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →