Is your domain vulnerable to email spoofing? Test SPF, DMARC, DKIM, and MTA-STS records instantly — no signup, no data uploaded.
Email spoofing is the #1 phishing technique. These four DNS records are your defense.
Sender Policy Framework
A DNS TXT record that lists which mail servers are authorized to send email from your domain. Receiving servers check this list and reject or flag unauthorized senders.
DomainKeys Identified Mail
Adds a cryptographic signature to each outbound email. The receiving server verifies the signature using a public key in your DNS, proving the message was not tampered with.
Domain-based Message Authentication
Tells receiving servers what to do with emails that fail SPF or DKIM. Without DMARC, failed checks are ignored. With p=reject, spoofed emails never reach inboxes.
Mail Transfer Agent Strict Transport Security
Forces inbound email delivery over TLS. Prevents downgrade attacks where attackers intercept email by stripping TLS from the connection.
Yes — if you have no DMARC record or your policy is p=none, anyone can send email that appears to come from your domain. This is the most common technique for phishing and business email compromise (BEC) attacks, which cost businesses billions annually.
Start with p=quarantine and monitor DMARC aggregate reports for 2-4 weeks before moving to p=reject. DMARC aggregate reports (rua) will show you all sources sending email from your domain, including legitimate services you may have forgotten about.
DKIM uses a selector — a label that's part of the DNS record name. This tool tries 10 common selectors (google, mail, selector1, selector2, etc.). If your provider uses a custom selector, it won't be detected. Check your email provider's DKIM settings for the exact selector name.
MTA-STS is optional but strongly recommended. Without it, inbound email can potentially be intercepted via downgrade attacks. Google and other major providers support and recommend MTA-STS.
DMARC aggregate reports (rua) are daily XML reports sent to your specified email address showing all sources that sent email from your domain, including whether they passed or failed SPF and DKIM checks. They are essential for monitoring your email security posture.