Email Spoofing Test
Check your domain's email authentication records and identify gaps that could make spoofing easier. Scan SPF, DKIM, DMARC, MX, BIMI, MTA-STS, and TLS-RPT records in one place.
Test Your Domain
Enter your domain name (yourdomain.com). This tool does not send email, connect to mail servers, or attempt spoofing.
- SPF
- DMARC
- Mail records
- Risk score
Public email authentication signals
This free email spoofing test reviews key DNS and email authentication records that help receiving mail systems verify your domain.
Use the results to spot missing records, weak DMARC policies, overly permissive SPF rules, missing mail routing records, and optional reporting controls that may improve visibility.
- SPF sender authorization
- DMARC policy and reporting
- MX delivery records
- DKIM selector guidance
- BIMI, MTA-STS, and TLS-RPT visibility
SPF, DKIM, and DMARC reduce direct domain spoofing
SPF authorizes sending servers, DKIM verifies signed messages, and DMARC tells receivers how to handle mail that fails authentication or alignment checks.
These controls are strongest when they are configured together. If you need a plain-language overview, review our guide to email authentication with SPF, DKIM, and DMARC.
A DNS scan is not a full phishing assessment
This tool only checks public DNS records. It does not send test emails, attempt spoofing, connect to SMTP servers, or validate every possible DKIM selector.
Attackers can still use lookalike domains, compromised accounts, display-name spoofing, and social engineering. Pair authentication with user reporting, filtering, and phishing training.
Questions Asked About our Email Spoofing Tests
Quick answers about email spoofing tests, SPF, DKIM, DMARC, DNS records, and what scan results mean.
What is email spoofing?
Email spoofing is the forging or disguising of sender information so a message appears to come from a trusted domain, person, or brand.
Can someone spoof my domain?
Yes, if your domain authentication is missing, weak, or not enforced, attackers may have more room to send mail that appears related to your domain.
What is SPF?
SPF, or Sender Policy Framework, lets a domain publish which mail servers are authorized to send email for that domain.
What is DKIM?
DKIM uses cryptographic signatures to help receiving systems verify that a signed message has not been changed and was signed by an authorized domain.
What is DMARC?
DMARC builds on SPF and DKIM by checking alignment and telling receivers how to handle messages that fail authentication.
What does DMARC p=none mean?
DMARC p=none is monitoring mode. It can collect reports, but it does not ask receivers to quarantine or reject messages that fail DMARC.
What is the safest DMARC policy?
For domains with aligned legitimate mail, p=reject is the strongest common DMARC policy. Teams usually move there after monitoring and fixing approved senders.
Want to see if your employees can spot spoofed emails?
Email authentication helps reduce spoofing, but people still need to recognize suspicious messages that bypass technical controls. Start a phishing simulation to test and train users safely.