Email Spoof Protection Check
Check whether your domain can be impersonated by an attacker. SPF, DKIM, and DMARC graded against NCSC mail-spoofing guidance, with an A-to-F grade you can take to your IT team.
Enter a domain. We look up SPF (TXT on the domain), DMARC (TXT on _dmarc.domain), MX records, and DKIM keys on the 10 most common selectors. We do not store the domains you check.
The grade is the average across SPF, DKIM, DMARC, and MX. F grades almost always come from a missing DMARC record.
About the Email Spoof Protection Check
An email spoof-protection check looks up the DNS records that determine whether your domain can be impersonated by an attacker. Specifically: SPF (the list of servers authorised to send mail from your domain), DKIM (the public keys receivers use to verify outgoing messages have not been altered in transit), and DMARC (the policy that tells receivers what to do with messages that fail SPF or DKIM, plus where to send failure reports).
If any of the three are missing or weakly configured, attackers can spoof email from your domain. That is the same vector behind most CEO-impersonation fraud, payroll-redirection scams, and supplier-invoice fraud. NCSC published its mail-spoofing guidance in 2016 and updated it in 2024. The recommendation across versions is the same: SPF with -all, DKIM with a 2048-bit key, DMARC at p=reject for any domain that sends mail and at p=reject for any domain that does not.
A failing DMARC record is one of the highest-impact-to-fix items on a typical SME estate. The fix is usually a single TXT record published by your DNS provider, and the cost is zero. The protection covers every recipient mailbox in the world. If the checker shows your domain at p=none, p=quarantine without -all, or no DMARC record at all, the fix should be on the list this week.
Common questions
Why does the tool say no DKIM key found when we definitely send mail?
We probe 10 common selectors (google, selector1, selector2, default, mail, k1, s1, s2, smtp, dkim). If your DKIM publishes on a custom selector, we will not find it. Microsoft 365 publishes on selector1 and selector2, Google Workspace on google, and Mailchimp on k1.
What is the difference between p=none, p=quarantine, and p=reject in DMARC?
p=none means the receiver accepts spoofed mail and just reports it. p=quarantine means the receiver routes spoofed mail to spam. p=reject means the receiver bounces it outright. NCSC recommends ending at p=reject. Start at p=none to monitor, move to quarantine, then reject.
Will publishing -all on SPF break my legitimate email?
Only if your existing setup sends mail through services that are not declared in your SPF record. The recommended path is to start at SPF -all only after you have moved DMARC through the p=none monitoring stage and validated that no legitimate senders show up as failing.
How does this fit with Cyber Essentials?
Cyber Essentials's secure-configuration control covers email-server hardening. SPF and DMARC are the standard implementation. The CE+ assessor will ask how you protect against spoofing and the answer that closes the question is DMARC at p=reject backed by SPF -all and DKIM.
Do you store the domains I check?
No. We log only that a check happened, never which domain. The DNS lookups go via our resolver and the report is built in memory and returned.
Beyond the free check
DNS Security Checker
Broader DNS security check covering more than just email-authentication records.
Learn moreNetwork Infrastructure Assessment
Full review of DNS, firewall, and perimeter configuration across an SME estate.
Learn moreCyber Essentials Certification
Government-backed certification covering email-spoofing protection as part of the secure-configuration control.
Learn more