Free Tool

Free Email Security Checker (SPF, DKIM, DMARC)

Check whether a domain is protected against email spoofing. We test SPF, DKIM, and DMARC and explain what is missing.

Free and instant. No account or signup needed.

What this email security checker tests

Email was never built to prove who sent a message, so three DNS records were added on top to close that gap. This tool reads all three for the domain you enter and tells you whether they add up to real protection or leave room for someone to send mail in your name.

SPF, which stands for Sender Policy Framework, is the list of mail servers allowed to send for your domain. When a receiving server gets a message, it checks the sending server against that list. If the server is not on it, the message fails SPF and looks suspicious.

DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to each message using a private key only you hold. The matching public key lives in your DNS, so a receiver can verify the signature and confirm the message was not altered in transit and genuinely came from your domain.

DMARC, short for Domain-based Message Authentication, Reporting and Conformance, sits above both. It checks that SPF and DKIM not only pass but also align with the visible From address, tells receivers what to do when a message fails, and sends you reports showing who is sending under your name. The instruction lives in the policy tag, written as p=none, p=quarantine, or p=reject.

Why p=none is only the start

A policy of p=none asks receivers to take no action and just report back. That is the right way to begin, because the reports show you every service that sends mail for you before you start blocking anything. The catch is that spoofed mail still gets through while you are at p=none, so a domain sitting there long term is not actually defended.

The recommended path is to publish SPF, turn on DKIM, then add DMARC at p=none and read the reports until you are confident your real senders pass. From there move to p=quarantine, which routes failing mail to spam, and finally to p=reject, which tells receivers to refuse it outright. Once you reach p=reject with SPF and DKIM aligned, attackers can no longer spoof your domain in phishing emails. To dig deeper into how these records fit together with the rest of your DNS, read the DNS security guide.

Frequently asked questions

What is an email security checker?

An email security checker reads the DNS records that decide whether your domain can be spoofed in email. SiteSecurityScore looks up your SPF, DKIM, and DMARC records live and tells you which ones are present, which are missing, and whether your DMARC policy actually blocks fake mail or only watches it.

What do SPF, DKIM, and DMARC do?

SPF lists which mail servers are allowed to send for your domain. DKIM adds a cryptographic signature so a receiver can confirm a message was not altered and really came from you. DMARC ties the two together, tells receivers what to do with mail that fails, and sends you reports so you can see who is sending in your name.

Why is a DMARC policy of p=none a problem?

A p=none policy is monitoring only. Receivers will still accept mail that fails SPF and DKIM, so a spoofed message can still land in an inbox. It is a useful first step while you read the reports, but a domain is only protected once you move the policy to quarantine or reject.

How do I fix missing email authentication?

Publish an SPF record listing your senders, enable DKIM signing in your mail provider, then add a DMARC record. Start at p=none to gather reports, confirm your real mail passes, then raise the policy to p=quarantine and finally p=reject so spoofed mail is blocked.

Does this checker scan a live domain?

Yes. Enter a domain and SiteSecurityScore queries its live DNS, reads the SPF, DKIM, and DMARC records, and reports what it found in seconds. No account or signup is required.

Related tools

DNS Security CheckerCAA Records CheckerDNS Security guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan