wiredepth
Run a check

Free tool · Spoofability

Can my domain be spoofed?

A clear yes / maybe / no answer instead of a wall of DMARC, SPF, and DKIM jargon. We check whether someone can send mail FROM your domain and land it in inboxes, and explain exactly which signals are holding the door open.

What this tool checks

The standard email-authentication tools dump the raw inputs at you - DMARC policy, SPF mechanism, DKIM selectors, MTA-STS mode - and leave you to assemble the answer yourself. That's useful when you already understand the model. It's unreadable when you're a non-IT person trying to figure out whether your domain is leaving the door open.

This tool computes the verdict the inputs add up to. We look at four signals:

  • DMARC policy - is there a record, what does it say to do with failures (none / quarantine / reject), and is it applied to 100% of mail?
  • SPF strictness - the record's terminal mechanism. -all (hardfail) actively blocks unauthorised senders. ~all (softfail) just labels them. +all tells receivers to accept anything (a misconfiguration we still see in the wild).
  • DKIM presence - we probe ~25 common selectors. If any returns a public key, your domain publishes DKIM and DMARC has something to align against.
  • MTA-STS - related but distinct. MTA-STS prevents an attacker from intercepting your inbound mail by downgrading the connection. Doesn't change the "can I be spoofed?" answer directly but appears as a "transport leak" indicator.

Then we synthesise: YES, MAYBE, or NO. Each verdict comes with the specific signal that drove it, so you can hand the page to whoever owns DNS and they know exactly what to fix.

How to read the results

YES: no DMARC at all, or DMARC at p=none. Receivers have no policy to apply, so spoofed mail lands somewhere between inbox and spam depending on the receiver's own reputation engine - but it's not blocked. This is the default state of most domains.

MAYBE: DMARC at p=quarantine, or p=reject with pct<100, or SPF softfail without DKIM. Mailbox providers MAY quarantine or reject spoofed mail, but the rollout is incomplete. A patient attacker eventually lands one.

NO: DMARC at p=reject + pct=100, AND either SPF hardfail (-all) or DKIM publishing at least one valid key. Spoofed mail is rejected at SMTP. Your domain is not practically spoofable today.

Frequently asked questions

What does "spoofable" actually mean?

Practically: can a third party send an email From: [email protected] from their own server (not yours) and have it land in someone's inbox without getting rejected, quarantined, or filtered hard? "Yes" means the receiving server has no policy in place to stop it.

My company has DMARC but the verdict is MAYBE - why?

DMARC at p=none, p=quarantine, or p=reject with pct<100 are all "partial" by design - they're mid-rollout policies, not protective states. The goal is to walk the rollout up to p=reject + pct=100 once your DMARC reports show no legitimate-sender failures. Until then the protection is incomplete.

You said DKIM is "found" but I configured a different selector. Is that a problem?

No - we probe ~25 common selectors as a heuristic, not an exhaustive enumeration. If your selector isn't in our list we won't find it, but DKIM is still working. The verdict-impact is small: DMARC alignment uses whatever signature is present at signing time, not what we discover via probe.

What's the difference between SPF -all and ~all?

Terminal mechanism semantics: -all (hardfail) tells receivers to REJECT mail from IPs not in the policy. ~all (softfail) tells them to ACCEPT BUT MARK. Most DMARC enforcement aligns with -all - softfail is treated as a partial fail and often passes through without action. Tighten to -all once your SPF record correctly lists every sender.

Is this free?

Yes. No signup. Wiredepth Pro adds continuous monitoring so you're alerted if your DMARC / SPF / DKIM posture regresses (e.g., someone disables DMARC enforcement during a migration and the rollback gets forgotten).

Related free tools

DMARC analyzer

Full DMARC record + alignment inspection.

DMARC walk-through wizard

Step-by-step plan to move from p=none to p=reject.

SPF validator

Lookup-count analysis and per-mechanism breakdown.

DKIM checker

Inspect a specific DKIM selector.