Email Spoofing Checker
Check whether a domain can be spoofed — audits SPF, DKIM and DMARC records and returns an overall risk rating instantly.
Free · No credit card · 50 credits/day
The three pillars of email authentication
All three are needed — each one alone is insufficient.
A TXT record that lists which IP addresses and mail servers are authorised to send email for your domain. Receiving servers check whether the sending IP is in the SPF record.
-all
Hardfail — unauthorized senders rejected. Recommended.
~all
Softfail — marked suspicious but still delivered. Upgrade to -all.
+all
Pass all — any server can send. Completely disables SPF protection.
v=spf1 include:_spf.google.com include:sendgrid.net -all
Adds a cryptographic signature to outgoing email headers. The receiving server fetches the public key from a DNS TXT record at {selector}._domainkey.{domain} and verifies the signature. Proves the email was not tampered with in transit.
default._domainkey.example.com → v=DKIM1; k=rsa; p=MIIBIjAN...
Ties SPF and DKIM together. Defines what to do when a message fails authentication (none / quarantine / reject) and where to send aggregate reports. Without DMARC, a domain with SPF and DKIM can still be spoofed via display-name attacks.
p=reject
Strongest — fails are rejected outright.
p=quarantine
Failures go to spam. Better than none.
p=none
Monitor only — no enforcement. Still spoofable.
_dmarc.example.com → v=DMARC1; p=reject; rua=mailto:dmarc@example.com
How to deploy email authentication
Create a TXT record on your root domain listing all your sending sources (Google Workspace, SendGrid, Mailchimp, your own mail server). End with -all. Example: v=spf1 include:_spf.google.com -all
Log in to your email provider (Google Workspace, Microsoft 365, SendGrid) and enable DKIM. They generate a key pair and tell you which TXT record to add at {selector}._domainkey.yourdomain.com.
Add a TXT record at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. The rua address receives weekly aggregate reports showing authentication pass/fail rates.
After 2–4 weeks of reports, confirm all legitimate email is passing. Move to p=quarantine. After another few weeks, upgrade to p=reject for maximum protection.
Frequently asked questions
Check your domain now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →