Free Email Spoofing Checker (SPF, DMARC, DKIM)

Check whether your domain is protected against email spoofing and impersonation. Free SPF, DMARC and DKIM grader with plain-English fixes, built by Neurobyte.

About this tool

If your domain doesn't have SPF, DKIM and DMARC set up correctly, attackers can send email that appears to come from you — invoicing fraud, CEO impersonation and phishing of your own customers. This free email spoofing checker looks up your domain's SPF, DKIM and DMARC records, grades how well-protected you are against impersonation, and explains in plain English what to fix.

These three records are the backbone of email authentication. SPF says which servers may send for your domain, DKIM cryptographically signs your messages, and DMARC tells receiving servers what to do with mail that fails — and gives you reporting. Get all three right and you dramatically reduce the risk of your brand being used to scam others.

Frequently asked questions

What are SPF, DKIM and DMARC?

They're DNS-based email authentication standards. SPF authorises sending servers, DKIM adds a cryptographic signature, and DMARC sets a policy (none, quarantine or reject) for mail that fails and enables reporting. Together they stop most domain spoofing.

Why is my domain failing the spoofing check?

Commonly there's no DMARC record, DMARC is left at p=none, SPF is missing or too permissive, or DKIM isn't configured. The tool tells you which record is weak so you can fix it in your DNS.

What DMARC policy should I use?

Start at p=none with reporting to observe traffic, then move to p=quarantine and finally p=reject once you've confirmed legitimate senders pass. Reject gives the strongest protection against spoofing.