How to check if your domain can be spoofed (free, 60 seconds)

You just heard about domain spoofing — where a scammer sends emails using your business name without ever touching your accounts. Now you want to know: is my domain vulnerable right now?

Good news: you can find out in about 60 seconds without any technical knowledge. This guide walks you through exactly how to check, what the results mean, and what to do if you're exposed.

What makes a domain spoofable?

Your domain is spoofable when it's missing one or more of three DNS security records: SPF, DKIM, and DMARC. These are configuration settings you add to your domain's DNS — they tell receiving mail servers how to verify that emails claiming to be from you actually are.

Without them, anyone can fire up a mail server, set the "From" field to [email protected], and send convincing phishing emails to your clients. The recipient sees your name. They may trust the email. They may act on it.

Most small business domains — dental offices, law practices, medical clinics — are wide open to this right now. Not because they did anything wrong, but because no one told them to set this up.

Step 1: Run the free scan

Go to sentryscore.com and enter your domain (just the domain — like mydentaloffice.com, not the full website address). The scanner will check your DNS records and return a security score with a breakdown of what's missing.

The whole thing takes under a minute. No signup required.

Step 2: Understand your results

Your scan results will show the status of three key records. Here's how to interpret each one:

SPF (Sender Policy Framework)

SPF is a list of servers authorized to send email on behalf of your domain. If you're missing SPF, anyone can send email "from" you with no restrictions at all.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to emails you send. Receiving servers verify the signature — if it doesn't match, the email fails the check. No DKIM means nothing is verifying the authenticity of emails sent in your name.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is the policy that ties SPF and DKIM together. It tells receiving servers what to do when an email fails those checks. This is the most critical record for spoofing protection — and the one most commonly missing or misconfigured.

What a spoofable domain looks like vs. a protected one

Step 3: What to do if you're vulnerable

If your scan shows missing or misconfigured records, here's the path forward:

1. Don't panic. This is fixable. Millions of small business domains are in the same position.
2. Contact your IT provider or email host. If you use Microsoft 365 or Google Workspace, they have documentation for adding these records. Many will do it for you if you ask.
3. Add SPF first, then DKIM, then DMARC. The order matters — DMARC depends on at least one of the others being in place.
4. Start DMARC at p=none to monitor for a week, then move to p=reject. This prevents accidentally blocking your own legitimate email.
5. Re-scan after changes to confirm everything is configured correctly.

How long does it take to fix?

If you or your IT person knows what they're doing: under 30 minutes of actual work. The changes propagate through DNS in a few hours. Total time from vulnerable to protected: same day in most cases.

If you need to find someone to do it: one support ticket to your email host or IT provider is usually all it takes. Many registrars (GoDaddy, Namecheap, Cloudflare) have guides in their help centers.

The bottom line

You don't need to be technical to know if your domain is at risk. The scan takes 60 seconds. The results are plain English. And knowing is the first step toward fixing it.

Related: What is DMARC — and why does every small business need it?

Also: How email spoofing targets small businesses (and how to stop it)