Email Spoofing Test — SPF, DKIM, and DMARC Risk Score

SMTP historically allowed anyone to claim any envelope or header address. SPF, DKIM, and DMARC let domain owners publish which senders are legitimate and how receivers should treat failures. Attackers target domains with no DMARC enforcement or SPF that effectively permits the world (+all or missing records).

Our test does not launch attacks — it reads the same public DNS policies receivers consult. If your published posture is weak, the score reflects exploitable gap independent of whether anyone is actively spoofing you today.

riskScore aggregates weighted findings to a maximum of 100. Missing SPF adds substantial points because receivers lack sender authorization lists. Missing DMARC removes domain-level enforcement. Permissive SPF all qualifiers and p=none add further weight. Missing DKIM on the checked selector adds moderate risk.

riskLevel buckets: low under 40, medium 40–69, high 70+. High tiers trigger recommendation copy urging -all SPF and DMARC reject or quarantine. Medium suggests tightening DMARC and reviewing mechanisms. Low indicates comparatively stronger published policy — still not a guarantee against targeted attacks.

Absent SPF produces a finding that any server may send without alignment checks. +all means the policy explicitly authorizes everyone — maximum weakness. ?all is neutral — little enforcement signal. ~all is soft fail — better than neutral but spoofed mail may still deliver to inboxes on lenient receivers.

The test surfaces spfPolicy from parsed details when available. Pair findings with SPF record generator output when rebuilding policy from scratch.

Missing DMARC means receivers apply local defaults — often delivery with weak signals only. p=none is monitoring without enforcement — spoofed mail still arrives while you collect reports. p=quarantine partially protects; p=reject is strongest when alignment is reliable.

dmarcPolicy in results shows parsed p= value. Escalate from none through quarantine to reject as rua reports confirm legitimate mail passes alignment.

We probe a default DKIM selector path common on many platforms. Custom selectors — selector1._domainkey, google, s1 — may exist while the default check misses them, inflating risk slightly. Confirm all active selectors with our DKIM key checker before dismissing DKIM findings.

DKIM without DMARC still leaves receivers without unified policy on what to do when only one of SPF/DKIM passes — deploy DMARC to tie signals together.

Live SMTP conversations, envelope/header From mismatches, cousin domains, homoglyph attacks, and display-name-only impersonation are out of scope. Compromised real mailboxes bypass SPF entirely because mail is legitimately signed.

Use phishing simulation vendors for social engineering tests; use this tool for DNS authentication hygiene underlying those campaigns.

High: publish SPF with -all after listing all senders, deploy DKIM on every outbound path, publish DMARC p=quarantine or reject with rua. Medium: tighten ~all to -all, move DMARC from none to quarantine, add missing includes. Low: maintain monitoring, rotate selectors after vendor changes, schedule quarterly rechecks.

Re-run after every DNS change. Spoofing risk can jump overnight if someone deletes _dmarc during unrelated TXT edits.

Deliverability checker scores inbox placement factors including SPF, DKIM, DMARC validity, MX, and PTR holistically. Spoofing test emphasizes attacker-exploitable weakness with explicit risk semantics. Use deliverability for sender ops; use spoofing test for security questionnaires and CISO reporting.

Both query live DNS — run together after migrations for complete mail authentication picture.

Export riskScore and risks bullets into board slides — non-technical audiences grasp high/medium/low faster than raw TXT. Acquisition teams scan portfolios for high-risk domains before integration into corporate Google Workspace or M365 tenants.

Document remediation tickets linked to each finding for SOC2 and ISO evidence trails.

Analysis queries public DNS only — the same records phishers reconnaissance. Test domains you own or administer. Do not use scores to claim third-party domains are attackable in public disclosures without responsible coordination.

We do not send spoofed email through any mailbox you control.