Check if your domain is easy to spoof and see how SPF, DKIM, and DMARC are configured.
Step 1: Enter the domain you use for email. Step 2: If you know your DKIM selector, add it. Step 3: Click "Run Audit".
Think of your email domain like your digital signature. SPF, DKIM, and DMARC work together so other mail servers can decide if a message really comes from you or from someone pretending to be you.
SPF (Sender Policy Framework) is like a guest list for your domain. In your DNS you list the servers and services that are allowed to send email using your domain.
When a mail server receives a message from your domain, it checks your SPF record to see if the sending server is on the list. This helps block obvious spoofing attempts from servers that are not approved.
DKIM (DomainKeys Identified Mail) is like a cryptographic stamp on your email. Your email system signs outgoing messages with a private key, and the matching public key is stored in your DNS.
The receiving server can use that public key to verify that the message was not changed in transit and that it really came from a system that you control.
DMARC (Domain based Message Authentication, Reporting and Conformance) is the policy on top of SPF and DKIM. It tells other mail servers what to do if a message fails these checks.
With DMARC you can start in monitor mode (p=none), then move to quarantine (p=quarantine), and finally to reject (p=reject) so that spoofed messages are sent to spam or blocked completely.
DMARC can also send you reports so you can see which servers are sending emails using your domain and how many pass or fail the checks.
There is no such thing as 100 percent spoof-proof email, but you can make it very hard to abuse your domain by combining a tight SPF, proper DKIM, and a strict DMARC policy.
Only include the real services that send as your domain and end with a hard fail.
v=spf1 include:_spf.google.com -all
Example above: Google Workspace only. Add other providers (Mailgun, SendGrid, etc.) with their recommended include: entries, then keep -all at the end.
Turn on DKIM for your main email host and any tool that sends as your domain (CRM, newsletter, transactional mail).
Use the DKIM records given by each provider (for example google._domainkey or selector1._domainkey) and prefer 2048-bit keys where available.
Start in monitor mode, then safely move to quarantine and finally to reject once everything is aligned.
v=DMARC1; p=none; rua=mailto:[email protected]; fo=1;
v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; fo=1;
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; fo=1;
We move from monitor (p=none) to quarantine and finally to reject so spoofed emails are blocked while legitimate email keeps flowing.
Even with a strong setup, no domain is 100 percent spoof-proof, but this combination makes it much harder for attackers and much easier for mail providers to filter out fake messages.
Upload one or more DMARC aggregate XML reports. Everything is processed locally in your browser. No data is sent to a server.
Tip: If your provider sends .zip files, unzip them first and upload the .xml inside.
DMARC aggregate reports show which IPs and services are sending email using your domain and whether they pass SPF and DKIM checks. They are perfect for finding unknown senders and safely tightening your DMARC policy.
Look for sources that:
Legitimate systems (Gmail, Microsoft 365, your CRM) should be mostly pass on DKIM and/or SPF.
You can use these reports to:
p=none to p=quarantine and finally p=reject with confidence.SPF – Who is allowed to send as your domain. One SPF record per domain listing your real sending systems with a hard fail (-all).
DKIM – Cryptographic signature that proves the message was not tampered with and really came from a system you control.
DMARC – The policy that says what to do when SPF/DKIM do not line up with your domain (monitor, quarantine, reject) and where to send these reports.