Brisbane IT & cybersecurity support · 15+ years · no outsourcing · 0491 054 503
Ewan Me ITFree scan →

Free email spoofing test

Can scammers send email as your business?

If your SPF, DKIM and DMARC records aren’t set up properly, anyone can send email that looks exactly like it came from you — fake invoices, changed bank details, the lot. Enter your domain and find out in 30 seconds.

  • · DMARC policy — is spoofed mail actually blocked?
  • · SPF — who’s allowed to send as you?
  • · DKIM — are your emails signed?

Free, instant, no signup. Leads with DMARC, SPF and DKIM — the full scan comes with it.

Why it matters

This is what spoofing looks like to your customers.

The email on the right wasn’t sent by the business it names — but it landed anyway, because the domain had no DMARC enforcement. One of your customers pays that fake invoice and it’s your name on the scam.

The fix is three DNS records done properly, then walking DMARC up to p=reject without bouncing your real mail. It’s a one-off job — read more on the email spoofing page.

Inbox — Outlook

Updated bank details for payment

A

Accounts Payable

9:14 AM

[email protected]

Looks legitimate — but it wasn’t sent by you. This is how spoofed email reaches your customers.

Hi,

Quick heads up — we’ve changed banks. Please update our details for the next invoice so payment isn’t delayed:

BSB 000-000 · Acct 0000 0000

Cheers

Common questions

Email spoofing, answered straight.

What is email spoofing?

Email spoofing is when a scammer sends email that appears to come from your domain — your name, your address — without ever touching your accounts. It's how fake invoices and bank-detail-change scams reach your customers, and it works when your domain's SPF, DKIM and DMARC records aren't set up properly.

What do SPF, DKIM and DMARC actually do?

SPF lists which servers may send email for your domain. DKIM cryptographically signs your messages. DMARC is the enforcement layer — it tells receiving mail servers what to do with mail that fails those checks. Without a DMARC policy of quarantine or reject, spoofed mail can still land in inboxes.

Is this DMARC checker really free?

Yes — free, instant, no signup and no email gate. It runs the same DNS checks I use for paying clients and gives you a graded, plain-English result.

My DMARC says p=none — is that bad?

p=none means monitoring only: you're watching spoofing happen, not stopping it. Getting safely to p=reject without bouncing your own legitimate mail is exactly what my Domain Lockdown pack does.

Fixed-price pack

Domain Lockdown

Stop anyone sending email as your business.

1–2 hours · fixed scope

Lock down my domainfrom $295

Secure checkout · GST included