Free Email Spoofing Test

Q: How do I know if my domain can be spoofed?

Check your domain's SPF and DMARC records. If SPF is missing or DMARC policy is 'none' or missing entirely, your domain can be spoofed. Use masoSec's free email spoofing test above.

Q: What is email spoofing?

Email spoofing is when an attacker sends an email that appears to come from your domain. It's used for phishing, business email compromise, and reputation damage.

Q: How do I stop my domain from being spoofed?

Set up SPF, DKIM, and DMARC DNS records. Set DMARC to p=reject. This tells receiving mail servers to block any email that fails authentication checks.

Q: Can I spoof a domain that has DMARC?

A domain with DMARC p=reject and properly configured SPF and DKIM cannot be spoofed to mail servers that enforce DMARC. However, DMARC p=none provides no protection.

Email spoofing lets attackers send emails that appear to come from your domain — used for phishing employees, customers, and partners. This test checks whether your domain's DNS records prevent spoofing.

Test your domain now — free

Enter your domain to check if it can be spoofed. We check SPF, DMARC, and DKIM configuration.

How email spoofing works

Email protocols were designed before security was a priority. By default, anyone can set the "From" address in an email to any domain. Without SPF, DKIM, and DMARC, there is nothing to stop an attacker from sending emails that appear to be from your company.

A spoofed email looks like this to the recipient

From: ceo@yourcompany.com
Subject: Urgent — wire transfer needed
Body: Please transfer €15,000 to this account today...

The email never touched yourcompany.com's servers. It was sent from an attacker's server with a forged From address.

What makes a domain spoofable

No SPF record — no list of authorized sending servers
No DMARC record — no policy for what to do with spoofed emails
DMARC p=none — DMARC exists but takes no action against spoofing
SPF with +all — effectively allows any server to send on your behalf

How to prevent email spoofing

Add an SPF record — lists the servers authorized to send email for your domain
Enable DKIM — cryptographic signature proving the email came from your server
Add DMARC — policy that tells receiving servers what to do with failures
Move DMARC to p=reject — fully blocks spoofed emails from reaching inboxes

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Monitor spoofing protection automatically

DNS records can break or be misconfigured after changes. masoSec continuously monitors your SPF, DKIM, and DMARC records and alerts you the moment your domain becomes vulnerable.

→ Start Free Spoofing Protection Monitoring

Frequently asked questions

How do I know if my domain can be spoofed?

Run the test above. If your SPF is missing or your DMARC policy is "none" or absent, your domain can be spoofed. The test checks all three records in seconds.

What is email spoofing?

Email spoofing is forging the "From" address in an email to make it appear to come from a trusted domain. It's the core technique behind business email compromise (BEC) and phishing attacks.

How do I stop my domain from being spoofed?

Set up SPF, DKIM, and DMARC in your DNS. Set DMARC to p=reject. This instructs receiving servers to block any email that fails authentication.

Can I spoof a domain that has DMARC?

A domain with DMARC p=reject and correct SPF/DKIM cannot be effectively spoofed. p=none provides no protection — it only generates reports.