Free SPF, DKIM & DMARC Checker
Find out whether your domain is protected against spoofing and phishing. We check your SPF, DKIM and DMARC records, grade the configuration and give you exact fixes.
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this email security checker checks
How it works
Read-only· DNS records only- 1We read your SPF, DMARC and DKIM (common selectors) records straight from DNS, plus MTA-STS, TLS-RPT and BIMI.
- 2We grade the policy strength (SPF ~all/+all, DMARC none/quarantine/reject) and count SPF DNS lookups against the RFC 7208 limit that causes silent permerrors.
- 3No email is sent and your mail servers are never contacted — it is a pure DNS read.
Why it matters
Without enforced SPF, DKIM and DMARC, anyone can send email that appears to come from your domain — the basis of phishing and business-email-compromise attacks. A correct DMARC policy stops spoofed mail and protects your brand and customers.
Frequently asked questions
Is the email security checker free?
Yes — SPF, DKIM and DMARC are checked as part of the free ONEROXE recon scan, with no account required.
What DMARC policy should I use?
Start at p=none to monitor, then move to p=quarantine and finally p=reject once you have confirmed legitimate senders pass SPF/DKIM alignment.
Why does SPF alone not stop spoofing?
SPF only validates the envelope sender and breaks on forwarding. DKIM signs the message and DMARC ties them together with a policy — all three are needed for real protection.