Free instant check — no account needed

Is Your Business Email Spoofable?

Attackers can send emails that look like they come from your domain — unless you have SPF, DKIM, and DMARC set up correctly. Find out in 10 seconds.

Free check · No email required · Results in ~10 seconds
The threat

What is email spoofing?

Email spoofing is when someone sends an email that appears to come from your domain — like [email protected] — without your permission. It's the #1 technique in business email compromise (BEC) attacks.

Without protection
Anyone on the internet can send email as [email protected]. Your clients, vendors, and employees will see your domain in the "From" field and trust it.
With SPF + DKIM + DMARC
Receiving mail servers verify that emails actually came from your authorized servers. Spoofed emails are rejected or sent to spam before anyone sees them.
Why it matters

Business email compromise by the numbers

Email spoofing isn't a theoretical risk — it's the most financially damaging form of cybercrime according to the FBI.

$2.9B
Lost to BEC scams annually (FBI IC3, 2023)
21,489
BEC complaints filed in 2023 alone
65%
Of organizations experienced BEC attacks (Proofpoint, 2024)
$125K
Average loss per BEC incident
Fix guides

How to fix email spoofing — step by step

Select your email provider or registrar for specific instructions. Each guide takes 15–30 minutes to complete.

Step 1: Set up SPF

  1. Go to your domain's DNS settings (Google Domains, GoDaddy, Namecheap, etc.)
  2. Add a new TXT record for @ (root domain)
  3. Set the value to:
v=spf1 include:_spf.google.com -all

If you also use other email services (e.g., Mailchimp), add their include too: v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Step 2: Enable DKIM

  1. Open Google Admin Console → Apps → Google Workspace → Gmail
  2. Click "Authenticate email"
  3. Select your domain and click "Generate new record"
  4. Copy the TXT record value Google provides
  5. Add a TXT record in your DNS at the hostname Google specifies (usually google._domainkey)
  6. Go back to Admin Console and click "Start authentication"

Step 3: Set up DMARC

  1. Add a TXT record at _dmarc (hostname: _dmarc.yourdomain.com)
  2. Start with monitoring mode:
v=DMARC1; p=none; rua=mailto:[email protected]

After 2–4 weeks of monitoring, upgrade to enforcement:

v=DMARC1; p=reject; rua=mailto:[email protected]

Google's official email authentication guide →

Step 1: Set up SPF

  1. Go to your domain registrar's DNS settings
  2. Add a TXT record for @ (root domain)
  3. Set the value to:
v=spf1 include:spf.protection.outlook.com -all

Step 2: Enable DKIM

  1. Go to Microsoft 365 Defender → Email & collaboration → Policies → DKIM
  2. Select your domain
  3. Toggle "Sign messages for this domain with DKIM signatures" to ON
  4. Microsoft will provide two CNAME records to add to your DNS
  5. Add both CNAME records at your registrar:
Host: selector1._domainkey → Points to: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com Host: selector2._domainkey → Points to: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

Step 3: Set up DMARC

  1. Add a TXT record at _dmarc
  2. Start with monitoring:
v=DMARC1; p=none; rua=mailto:[email protected]

Upgrade to enforcement after 2–4 weeks:

v=DMARC1; p=reject; rua=mailto:[email protected]

Microsoft's official email authentication guide →

Step 1: Set up SPF

  1. Log in to GoDaddy → My Products → DNS
  2. Click "Add" under Records
  3. Type: TXT, Name: @, Value:
v=spf1 include:secureserver.net -all

If you use Google Workspace or Microsoft 365 with GoDaddy, use their SPF include instead (see guides above).

Step 2: Enable DKIM

  1. If using GoDaddy's built-in email: DKIM is managed automatically
  2. If using Google Workspace or Microsoft 365: follow their DKIM setup and add the DNS records in GoDaddy's DNS manager

Step 3: Set up DMARC

  1. In GoDaddy DNS, click "Add" → Type: TXT
  2. Name: _dmarc
  3. Value:
v=DMARC1; p=quarantine; rua=mailto:[email protected]

GoDaddy's guide to adding TXT records →

Step 1: Set up SPF

  1. Log in to Namecheap → Domain List → Manage → Advanced DNS
  2. Click "Add New Record" → Type: TXT Record
  3. Host: @, Value:
v=spf1 include:_spf.google.com -all

Replace the include with your email provider's SPF domain.

Step 2: Enable DKIM

  1. Get the DKIM TXT record from your email provider (Google Workspace, Microsoft 365, etc.)
  2. In Advanced DNS, add a TXT record
  3. Host: the selector your provider gives you (e.g., google._domainkey)
  4. Value: the DKIM key string from your provider

Step 3: Set up DMARC

  1. In Advanced DNS, add a TXT record
  2. Host: _dmarc
  3. Value:
v=DMARC1; p=reject; rua=mailto:[email protected]

Namecheap's guide to adding TXT records →

Get your full security report

We'll scan your domain across 5 security dimensions — SSL, email, breaches, headers, and DNS — and email you a detailed PDF with prioritized fix steps.

Want us to fix this for you?

Our team configures SPF, DKIM, and DMARC for small businesses every day. We'll get your domain locked down — usually within 48 hours.

Talk to Guardrail Works →
FAQ

Common questions about email spoofing

What is email spoofing?

Email spoofing is when an attacker sends an email that appears to come from your domain (e.g., [email protected]) without your authorization. The email looks completely legitimate to the recipient. It's the primary technique used in business email compromise (BEC) attacks — like fake invoices, wire transfer requests, and credential phishing.

What are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework) lists which mail servers are authorized to send email for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to prove the email wasn't tampered with. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties them together and tells receiving servers what to do when authentication fails — ignore it, quarantine it, or reject it outright.

Is this check safe to run?

Yes. This tool only reads your publicly available DNS records — the same information any mail server in the world can see. It doesn't send emails, probe your servers, or access anything private.

How do I fix email spoofing?

You need to add three DNS TXT records: an SPF record listing your authorized email servers, enable DKIM signing in your email provider, and add a DMARC record with a policy of "quarantine" or "reject." See the platform-specific guides above for step-by-step instructions.

What's the difference between this and the full SentryScore scan?

This tool checks only email authentication (SPF, DKIM, DMARC). The full SentryScore scan also checks SSL/TLS configuration, data breach history, HTTP security headers, and DNS quality — giving you a comprehensive 0–100 security score across five dimensions.