DNS Security Checker
Audit your domain's DNS configuration for SPF, DKIM, DMARC, DNSSEC, and other critical security records that protect against spoofing and phishing.
DNS Misconfigurations Detected?
DNS security is the foundation of email integrity and domain trust. Our team can implement and validate your SPF, DKIM, and DMARC configurations.
About the DNS Security Checker
The DNS security checker takes the domain you enter and queries the live DNS for the email-authentication records that should be present on a domain that sends mail. Specifically it looks for SPF (which lists the IP addresses authorised to send mail from your domain), DKIM (which signs each outgoing message so the recipient can verify it has not been tampered with), and DMARC (which tells receivers what to do with messages that fail SPF or DKIM, and where to report failures).
If any of these are missing or misconfigured, attackers can spoof email from your domain. That is the same vector behind most CEO-impersonation fraud, payroll-redirection scams, and supplier-invoice fraud. NCSC published its mail-spoofing guidance in 2016 and updated it in 2024. The recommendation across versions is the same: SPF with -all, DKIM with a 2048-bit key, DMARC at p=reject for any domain that sends mail and at p=reject for any domain that does not.
A failing DMARC record is one of the highest-impact-to-fix things on a typical SME estate. The fix is usually a single TXT record published by your DNS provider, and the cost is zero. The protection covers every recipient mailbox in the world. If the checker shows your domain at p=none, p=quarantine without -all, or no DMARC record at all, the fix should be on the list this week.
Common questions
What is the difference between SPF, DKIM, and DMARC?
SPF lists the servers allowed to send mail from your domain. DKIM signs each message so receivers can verify it. DMARC tells receivers what to do if SPF or DKIM fails, and where to send failure reports. You need all three for full protection.
Will fixing DMARC break our email?
Only if your existing setup is sending mail through services that are not declared in your SPF record. The recommended path is to start at p=none with reporting enabled, fix the legitimate senders that show up as failing, then move to p=quarantine and finally p=reject. NCSC publishes the migration guidance.
Does Cyber Essentials require DMARC?
Cyber Essentials requires the secure-configuration control set, which includes hardened email. SPF and DMARC are the standard implementation. Strictly the scheme does not name DMARC in the question wording, but the assessor will ask how you protect against spoofing, and DMARC is the answer that closes the question.
Why is my DKIM showing as missing when I send mail through Microsoft 365?
Microsoft 365 enables DKIM on the tenant default but you have to publish the CNAME records on your custom domain to switch it on for outgoing mail under that domain. Until those CNAMEs are published, mail from yourcompany.com is unsigned even though Microsoft is signing yourtenant.onmicrosoft.com.
Beyond the free check
Cyber Essentials Certification
The secure-configuration control covers email-spoofing protection.
Learn moreNetwork Infrastructure Assessment
Full review of DNS, firewall, and perimeter configuration for an SME estate.
Learn morePassing Cyber Essentials
Step-by-step on the controls assessors check, including email-spoofing protection.
Learn more