Email Authentication Tester — SPF, DKIM, and DMARC Risk Score
Score domain spoofing risk from published SPF, DKIM, and DMARC — read-only DNS policy analysis
How to Use This Tool
- Enter the domain attackers might impersonate in mail.
- Live DNS queries fetch SPF, DKIM (default selector path), and DMARC.
- Heuristics score missing records and weak all or p= policies.
- riskScore accumulates to a maximum of 100 with riskLevel tiers.
- risks array explains each scoring contribution in plain language.
- Review spf, dmarc, dmarcPolicy, spfPolicy, and summary for remediation.
About This Tool
Email authentication testing spans SPF alignment, DKIM signing, and DMARC enforcement — yet many free tools stop at record presence without risk context. VSPIC email authentication tester calls the email-spoofing action, running checkEmailDns on the domain you submit and returning riskScore, riskLevel, spoofingRisk, enumerated risks, live spf and dmarc strings, dmarcPolicy, spfPolicy, and summary tiered by severity — not live SMTP spoof attempts.
Use results before executive phishing exercises, after mail DNS migrations, or when security questionnaires ask how easily your domain can be impersonated. Pair with dmarc-propagation-checker and spf-record-checker when you need snapshot diffs alongside policy scoring.
Common use cases
- •Inspect HTTP headers and user-agent strings
- •Analyze email headers for phishing investigation
- •Generate strong passwords for staging environments
Why use VSPIC for ?
- Single authentication risk score from SPF, DKIM, and DMARC together.
- Enumerated risks explain scoring for audit reports.
- Surfaces permissive +all, ?all, and p=none explicitly.
- Live policy strings for ticket evidence.
- Actionable summary tiered by risk level.
- Free read-only analysis — no test emails sent.
Email authentication versus deliverability alone
Deliverability asks whether mail reaches inboxes. Authentication asks whether receivers can verify senders and reject forgeries. SPF authorizes sending hosts, DKIM signs messages, DMARC sets domain policy when alignment fails.
Our tester scores authentication policy weakness via email-spoofing heuristics — complementary to dns-history snapshots that show raw TXT publication.
Understanding riskScore and riskLevel
riskScore aggregates weighted findings to 100. Missing SPF adds substantial points. Missing DMARC removes enforcement signal. Permissive SPF all qualifiers and p=none add further weight. Missing DKIM on the checked selector adds moderate risk.
riskLevel maps low under 40, medium 40–69, high 70+. summary text recommends tightening policy by tier.
SPF findings in risks and spfPolicy
Absent SPF yields high contribution — receivers lack authorization lists. +all explicitly permits everyone. ?all is neutral. ~all is soft fail only. spfPolicy surfaces parsed all qualifier when available.
Pair with spf-record-checker for structured found, valid, and mechanism details on the same domain.
DMARC policy and dmarcPolicy field
Missing DMARC means no domain-level spoofing policy. p=none monitors without blocking. p=quarantine partially protects. p=reject is strongest when alignment is reliable. dmarcPolicy shows parsed p= value from live _dmarc TXT.
Escalate policy after rua reports confirm legitimate mail passes alignment.
DKIM selector limitations
checkEmailDns probes a default DKIM selector path common on many platforms. Custom selectors may exist while the default check misses them — confirm active selectors with dkim-record-checker before dismissing DKIM findings.
DKIM without DMARC still leaves receivers without unified failure policy.
Relationship to email-spoofing-test page
Identical email-spoofing backend and JSON. email-spoofing-test emphasizes attacker-centric language; email authentication tester emphasizes authentication audit vocabulary for IT and compliance searches.
API: GET /ip-tools/api/extended?action=email-spoofing&domain=example.com.
Authentication testing after DNS migrations
After MX or TXT cutovers, run this tester plus dns-history snapshots. Policy scoring confirms semantic weakness; snapshots confirm publication with queriedAt for propagation honesty.
Re-run when riskLevel is high until SPF, DKIM, and DMARC reach approved baseline.
Remediation playbook by risk tier
High: publish SPF with -all after listing senders, deploy DKIM on every outbound path, publish DMARC p=quarantine or reject with rua. Medium: tighten ~all to -all, move DMARC from none to quarantine. Low: maintain monitoring and quarterly rechecks.
Document tickets linked to each risks bullet for SOC2 evidence.
Privacy and responsible use
Analysis queries public DNS only — same records attackers reconnaissance. Test domains you own or administer.
We do not send spoofed email through any mailbox.
Important notes & limitations
- Does not send mail or test live SMTP AUTH alignment.
- DKIM checked on default selector path — custom selectors may be missed.
- Does not simulate receiver-specific filter behavior.
- Score is heuristic — not identical to every mailbox provider.
- BIMI, MTA-STS, and TLS-RPT outside scoring scope.
- Propagation snapshots use dns-history — this page uses email-spoofing action.
Frequently Asked Questions
Yes. VSPIC offers this email authentication tester at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It analyzes published SPF, DKIM, and DMARC via the email-spoofing action — read-only DNS policy scoring.
email-spoofing with a domain parameter.
Permissive +all or ?all, missing DMARC, or p=none can still yield high scores despite SPF being present.
A default selector path used by checkEmailDns. Verify custom selectors with dkim-record-checker separately.
Deliverability scores inbox factors including MX and PTR holistically. This page emphasizes spoofing risk via email-spoofing heuristics.
No. It reads live DNS on our lookup path. Use dns-history propagation snapshots with queriedAt diffs for publication tracking over time.
Next step for your check
Continue with email spoofing test on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Email Spoofing Test
Score domain spoofing risk from SPF, DKIM, and DMARC policy gaps
Use Free →SPF Record Checker
SPF Record Checker — free online tool
Use Free →DMARC Record Checker
DMARC Record Checker — free online tool
Use Free →DKIM Record Checker
DKIM Record Checker — free online tool
Use Free →Header Checker
Inspect HTTP request and response headers
Use Free →Link Checker
Verify if a URL is reachable and check HTTP status
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS