Free email spoofing test
Can scammers send email as your business?
If your SPF, DKIM and DMARC records aren’t set up properly, anyone can send email that looks exactly like it came from you — fake invoices, changed bank details, the lot. Enter your domain and find out in 30 seconds.
- · DMARC policy — is spoofed mail actually blocked?
- · SPF — who’s allowed to send as you?
- · DKIM — are your emails signed?
Why it matters
This is what spoofing looks like to your customers.
The email on the right wasn’t sent by the business it names — but it landed anyway, because the domain had no DMARC enforcement. One of your customers pays that fake invoice and it’s your name on the scam.
The fix is three DNS records done properly, then walking DMARC up to p=reject without bouncing your real mail. It’s a one-off job — read more on the email spoofing page.
Updated bank details for payment
Accounts Payable
9:14 AMHi,
Quick heads up — we’ve changed banks. Please update our details for the next invoice so payment isn’t delayed:
BSB 000-000 · Acct 0000 0000
Cheers
Common questions
Email spoofing, answered straight.
What is email spoofing?
Email spoofing is when a scammer sends email that appears to come from your domain — your name, your address — without ever touching your accounts. It's how fake invoices and bank-detail-change scams reach your customers, and it works when your domain's SPF, DKIM and DMARC records aren't set up properly.
What do SPF, DKIM and DMARC actually do?
SPF lists which servers may send email for your domain. DKIM cryptographically signs your messages. DMARC is the enforcement layer — it tells receiving mail servers what to do with mail that fails those checks. Without a DMARC policy of quarantine or reject, spoofed mail can still land in inboxes.
Is this DMARC checker really free?
Yes — free, instant, no signup and no email gate. It runs the same DNS checks I use for paying clients and gives you a graded, plain-English result.
My DMARC says p=none — is that bad?
p=none means monitoring only: you're watching spoofing happen, not stopping it. Getting safely to p=reject without bouncing your own legitimate mail is exactly what my Domain Lockdown pack does.
Fixed-price pack
Domain Lockdown
Stop anyone sending email as your business.
1–2 hours · fixed scope
Secure checkout · GST included
More free tools
While you’re here — run the other checks.
Data Breach Check
Have your staff logins been leaked?
Run it free →
SSL Certificate Check
Is your website showing 'Not Secure'?
Run it free →
Cyber Insurance Readiness Check
Would you pass your insurer's questionnaire?
Run it free →
AI Search Readiness Test
Can ChatGPT find your business?
Run it free →
All tools are genuinely free — no signup, no spam. See the full list →