What is email spoofing?

Email spoofing is when an attacker sends an email that appears to come from your domain — your employees, partners, or customers receive an email with your domain in the "From" address, but you did not send it. Spoofed emails are used for phishing (tricking recipients into clicking links or entering credentials), business email compromise (impersonating an executive to authorise a wire transfer), and brand abuse (sending spam that damages your domain's reputation). The attack is possible when a domain lacks proper SPF, DKIM, and DMARC records.

Sender Policy Framework (SPF) is a DNS TXT record that lists the IP addresses and mail servers authorised to send email for your domain. Example: "v=spf1 include:_spf.google.com ~all". When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to see if the sending IP is listed. If it is not, SPF fails. SPF alone is not enough — DMARC is needed to enforce what happens on failure.

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a DNS TXT record that tells receiving mail servers what to do when an email fails SPF or DKIM checks: none (take no action, just report), quarantine (send to spam), or reject (refuse the email). A policy of p=none provides visibility (you get reports) but no protection — spoofed emails still reach recipients. For protection, your DMARC policy must be p=quarantine or p=reject.

What does SPOOFABLE mean in this test?

SPOOFABLE means your domain lacks either SPF or DMARC (or both), meaning an attacker can send email that appears to come from your domain and receiving servers have no mechanism to reject or quarantine it. NOT SPOOFABLE means both SPF and DMARC records are present. Note that a DMARC policy of p=none is the weakest possible setting — the test reports NOT SPOOFABLE if a DMARC record exists, but p=none provides no active protection. Check the DMARC policy value in the result and upgrade to p=quarantine or p=reject.

How do I fix a missing DMARC record?

Publish a TXT record at _dmarc.yourdomain.com. Start with a monitoring-only policy: "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com". The rua address receives aggregate reports showing which servers are sending mail on behalf of your domain. After reviewing the reports and confirming all legitimate senders are covered by your SPF record, upgrade to p=quarantine and eventually p=reject. See the guide "No DMARC Record Found" — What It Means and How to Fix It for the full step-by-step.

Email Spoofing Test — Check SPF, DKIM & DMARC

What this checker tests

This tool queries public DNS records for your domain. No connection is made to your mail server — only DNS lookups are performed. The checks are:

Check	DNS name	What it looks for
SPF	`yourdomain.com` (TXT)	A record starting with `v=spf1`
DMARC	`_dmarc.yourdomain.com` (TXT)	A record starting with `v=DMARC1`; reports the `p=` policy
DKIM	Common selectors: default, google, selector1, selector2, k1, mail, dkim	A DKIM public key record at `selector._domainkey.yourdomain.com`
MTA-STS	`_mta-sts.yourdomain.com` (TXT)	A record starting with `v=STSv1`

Verdict logic

SPOOFABLE means the domain lacks SPF, DMARC, or both. An attacker can send email appearing to come from this domain and receiving mail servers have no mechanism to reject it.

NOT SPOOFABLE means both SPF and DMARC records are present. If the DMARC policy is p=none, spoofed mail may still reach inboxes — only p=quarantine or p=reject actively blocks it. The result shows the exact policy value so you can act if needed.

Common email spoofing misconfigurations

Problem	Risk	Fix
No SPF record	Any server can send as your domain	Publish `v=spf1 include:your-mail-provider ~all`
No DMARC record	Even with SPF, no enforcement policy	Publish `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` and upgrade to quarantine/reject
DMARC p=none	Reports only, no active blocking	After reviewing DMARC reports, upgrade to p=quarantine then p=reject
SPF too permissive (`+all`)	Allows any server despite SPF existing	Replace `+all` with `~all` (softfail) or `-all` (hard fail)

For the full step-by-step guide on publishing and configuring DMARC records, read: "No DMARC Record Found" — What It Means and How to Fix It.

Trust and differentiators

No account required. No data stored. The check queries public DNS only — no connection to your mail server. Instant results, safe to run against any domain you own.

For continuous email security monitoring — alerts when SPF or DMARC records change or are removed — create a free pentes.io account. The free tier includes 5 scans per month with LLM-triaged findings and a downloadable report.

See all free security tools.

What this checker tests

Verdict logic

Common email spoofing misconfigurations

Trust and differentiators

Monitor your email security posture