Free tool

Is your domain protected against email spoofing?

Enter your domain name to check your SPF, DKIM, DMARC and BIMI records. Instant results with a score out of 10 and actionable recommendations.

How it works

How does this test work?

Our tool queries your domain's DNS records to verify the presence and configuration of each email authentication protocol.

SPF (Sender Policy Framework) declares which servers are authorized to send emails for your domain. Without SPF, anyone can spoof your address.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The recipient verifies the message wasn't altered in transit.

DMARC (Domain-based Message Authentication) ties SPF and DKIM together and tells receiving servers how to handle emails that fail checks: ignore, quarantine or reject.

Frequently asked questions

What are SPF, DKIM and DMARC?

They are three complementary protocols that authenticate emails sent from your domain. SPF lists the servers allowed to send on your behalf. DKIM adds a cryptographic signature to ensure the content hasn't been tampered with. DMARC ties them together and sets the policy for what happens when an email fails checks (none, quarantine or reject).

Why is my score low?

A low score means one or more protocols are missing or misconfigured. Common issues: no DMARC record published, DMARC policy set to 'none' (no enforcement), or an SPF record that doesn't include all your sending services (marketing platform, CRM, support desk). Each missing protocol leaves a gap attackers can exploit.

What's the difference between DMARC reject and quarantine?

With 'quarantine', emails that fail checks land in the recipient's spam folder. With 'reject', they are outright refused by the receiving server. 'reject' provides the strongest protection, but you should first confirm all your legitimate email flows pass SPF and DKIM to avoid blocking your own messages.

Is this test safe for my domain?

Yes. The tool only performs public DNS lookups - the same queries any mail server makes when it receives an email from your domain. No data is stored, no emails are sent, and nothing in your configuration is modified.

How can I improve my score quickly?

Start by publishing a DMARC record if you don't have one (even with 'none' policy to begin with). Then enable DKIM with your email hosting provider. Finally, gradually move your DMARC policy from 'none' to 'quarantine' then to 'reject' once your DMARC reports confirm everything is working.

Protect your team against phishing

Email protocols block technical spoofing. But 91% of cyberattacks start with an email that looks legitimate. nophi.sh trains your teams to spot the difference.

Start for free