All tools
Security tools

Email Spoofing Checker

Check whether a domain can be spoofed — audits SPF, DKIM and DMARC records and returns an overall risk rating instantly.

SPF policy analysis DKIM key lookup DMARC policy Risk rating Email or domain input
Get started free Sign in

Free · No credit card · 50 credits/day

The three pillars of email authentication

All three are needed — each one alone is insufficient.

SPF Sender Policy Framework

A TXT record that lists which IP addresses and mail servers are authorised to send email for your domain. Receiving servers check whether the sending IP is in the SPF record.

-all Hardfail — unauthorized senders rejected. Recommended.
~all Softfail — marked suspicious but still delivered. Upgrade to -all.
+all Pass all — any server can send. Completely disables SPF protection.
v=spf1 include:_spf.google.com include:sendgrid.net -all
DKIM DomainKeys Identified Mail

Adds a cryptographic signature to outgoing email headers. The receiving server fetches the public key from a DNS TXT record at {selector}._domainkey.{domain} and verifies the signature. Proves the email was not tampered with in transit.

default._domainkey.example.com → v=DKIM1; k=rsa; p=MIIBIjAN...
DMARC Domain-based Message Authentication, Reporting and Conformance

Ties SPF and DKIM together. Defines what to do when a message fails authentication (none / quarantine / reject) and where to send aggregate reports. Without DMARC, a domain with SPF and DKIM can still be spoofed via display-name attacks.

p=reject Strongest — fails are rejected outright.
p=quarantine Failures go to spam. Better than none.
p=none Monitor only — no enforcement. Still spoofable.
_dmarc.example.com → v=DMARC1; p=reject; rua=mailto:dmarc@example.com

How to deploy email authentication

1
Add an SPF record with -all

Create a TXT record on your root domain listing all your sending sources (Google Workspace, SendGrid, Mailchimp, your own mail server). End with -all. Example: v=spf1 include:_spf.google.com -all

2
Enable DKIM signing

Log in to your email provider (Google Workspace, Microsoft 365, SendGrid) and enable DKIM. They generate a key pair and tell you which TXT record to add at {selector}._domainkey.yourdomain.com.

3
Add DMARC with p=none first

Add a TXT record at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. The rua address receives weekly aggregate reports showing authentication pass/fail rates.

4
Review reports and escalate

After 2–4 weeks of reports, confirm all legitimate email is passing. Move to p=quarantine. After another few weeks, upgrade to p=reject for maximum protection.

Frequently asked questions

What is email spoofing?

Email spoofing is when an attacker sends email that appears to come from a domain they don't control. SPF, DKIM and DMARC are DNS-based mechanisms that allow receiving mail servers to verify whether an email actually came from an authorised source.

What is the difference between SPF, DKIM and DMARC?

SPF lists which IPs can send for your domain. DKIM adds a cryptographic signature to outgoing email. DMARC ties both together with a policy (none/quarantine/reject) and reporting. All three are needed for strong protection.

My SPF uses ~all — is that a problem?

Yes. Softfail (~all) means receiving servers should accept the email but mark it suspicious — it does not reject spoofed email. Change to -all (hardfail) once all legitimate sending sources are in your SPF record.

What DMARC policy should I use?

Start with p=none to collect reports. Once reports confirm legitimate email passes, move to p=quarantine, then p=reject. Most domains never reach reject, leaving spoofed email in spam instead of blocking it.

Related tools

More tools for email and domain security.

DNS Lookup

Query TXT records to inspect your SPF, DKIM and DMARC values directly.

IP Reputation Checker

Check if your mail server IP is on any email blacklists.

Security Headers Checker

Audit HTTP security headers — HSTS, CSP and more.

Check your domain now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →