Can someonespoof your email?
A free email & DNS health check. We read your SPF, DKIM, and DMARC records and tell you whether scammers can send email as your domain — and whether your real mail is landing. Instant, no email required.
The three records that protect you.
Email security comes down to three DNS records working together. Miss one and your domain is easier to impersonate — and your legit mail is more likely to hit spam.
Who can
send
Lists the servers allowed to send mail as you. Without it, anyone can.
Signed &
sealed
Cryptographically signs your mail so receivers know it wasn't tampered with.
The
enforcer
Tells inboxes what to do with fakes — and reports who's trying to spoof you.
Why email security matters.
Spoofed email is how most phishing starts — and an unprotected domain both invites it and quietly lands your real messages in spam.
start with a phishing email
three records that stop spoofing
are free to set up correctly
no email or signup needed
Sources: CISA and Deloitte on phishing as the entry point for most cyberattacks.
Questions, answered.
Yes — completely free, no signup or email required. Enter your domain (or any email address at it) and you get an instant breakdown of your SPF, DKIM, and DMARC setup with what passed and what to fix.
They are three DNS records that prove your email is really from you. SPF lists which servers may send as your domain. DKIM cryptographically signs each message so it can’t be altered in transit. DMARC ties them together, tells receiving inboxes what to do with messages that fail, and reports spoofing attempts back to you.
Without these records, anyone can send email that looks like it’s from your domain — the basis of most phishing and invoice-fraud scams — and your own legitimate mail is more likely to land in spam. Setting them up protects your reputation and improves deliverability.
Not necessarily. DKIM keys live at a custom “selector” that has no fixed name, so we probe the common ones (Google, Microsoft, major ESPs). If yours uses a different selector we may not find it automatically even though it exists. The SPF and DMARC results are definitive; DKIM is best-effort.
DMARC has three policy levels: p=none (monitor only — nothing is blocked), p=quarantine (failing mail goes to spam), and p=reject (failing mail is blocked outright). Reject is the strongest. Many domains publish p=none and never tighten it, which leaves the door open to spoofing.
Yes. Setting up SPF, DKIM, and DMARC correctly is part of how we look after the sites and domains we manage. Run the check, then reach out and we’ll get your records configured so real mail lands and fakes get blocked.
Want your email locked down?
Tell us your domain and we'll handle SPF, DKIM and DMARC.
We'll reply within 24 hours with a plan to secure it.