Is Your Domain Spoofable? Free Email Spoofing Test
Enter any domain to see whether attackers can send email that looks like it comes from it. We check your SPF, DKIM and DMARC setup using public DNS — in seconds.
Can your domain be spoofed?
Email spoofing is when an attacker sends a message that looks like it came from your domain — to trick your staff, customers, or suppliers into trusting it. If your domain isn't set up to block this, anyone can impersonate it, and you won't be told. This test shows whether yours can be spoofed, in plain terms.
What this checker tests: SPF, DKIM & DMARC
Three DNS records decide whether your domain can be impersonated. We read all three from public DNS — nothing is changed, and no login is needed.
- SPF — declares which mail servers are allowed to send for your domain.
- DKIM — adds a tamper-proof signature so receivers can confirm the mail really is from you.
- DMARC — the one that actually blocks spoofing: it tells receivers to reject mail that fails the checks above.
Why email spoofing is a business risk
A spoofable domain is the foundation of business email compromise — fake invoices, payment-redirect fraud, and messages from a "CEO" your team has no reason to doubt. Most organisations have never checked whether their domain is protected. The good news: closing these gaps is a configuration change, and this test shows you exactly where you stand.
How to protect your domain from spoofing
- Publish a strict SPF record listing only the servers allowed to send for you.
- Turn on DKIM signing so your mail carries a verifiable signature.
- Move DMARC to an enforced policy (p=reject) once legitimate senders are confirmed.
- Re-run this check after each change to confirm it took effect.
Is a DNS check enough?
This test tells you whether your domain's records can block spoofed mail at the receiving server. It doesn't tell you whether your team would recognise and report a convincing phishing email that slips through — and attackers have plenty of ways in besides domain spoofing. Strong records and an alert team are both needed.
Frequently asked questions
What is email spoofing?
It's when an attacker sends email that appears to come from your domain, to make a scam look trustworthy. Without the right records, receivers have no way to tell the fake from the real thing.
Can someone spoof my domain without me knowing?
Yes. If your domain has no enforced DMARC policy, anyone can send mail that looks like it's from you — and you won't be notified it's happening.
What does “spoofable” mean in this report?
It means your domain's records don't stop forged email at the receiving server, so recipients can get messages that look like they're from you.
What does a DMARC policy of p=none mean?
Monitor-only. It reports on activity but doesn't block anything — spoofed mail still gets through. An enforced policy (p=reject) is what actually protects you.
Does passing this test mean my domain is fully protected?
It means your email-authentication records are in good shape — a strong foundation. It doesn't cover every attack route, and it doesn't test whether your people can spot phishing.
What should I do if my domain fails?
Publish a strict SPF record, enable DKIM signing, and move DMARC to an enforced policy once you've confirmed your legitimate senders. The full report we email walks through each fix.
How is this different from a phishing simulation?
This checks your domain's records at the server level. A phishing simulation tests whether your team would actually recognise and report a realistic attack — which is what our awareness training builds. You can try that free for 30 days.
Run the spoofing test
See the verdict here, and we'll email you the full SPF, DKIM and DMARC report.