Can someone spoof email from your domain?
Enter your domain for an instant check of SPF, DKIM and DMARC — the records that decide whether scammers can forge email that looks like it came from you.
What this does and doesn’t cover
This checks protection against direct-domain spoofing — someone forging your exact address (you@yourdomain). It does not detect look-alike domains (like yourcompany-support.com), display-name tricks (“POISE Support” sent from a Gmail address), or a genuinely hacked mailbox. Those need other controls — ask us.
Why email spoofing matters
Most business email fraud — fake invoices, CEO-fraud wire requests, supplier impersonation — starts with an email that appears to come from a trusted domain. If your domain has no enforced DMARC policy, an attacker can put your exact address in the “From” field and it will reach inboxes.
SPF, DKIM and DMARC are free DNS records that, configured together, let receiving servers reject forgeries. The catch: SPF alone isn’t enough (it checks a hidden address, not the visible one), and DMARC set to “none” only monitors — it doesn’t block. This tool tells you exactly where you stand.