Free. No signup. No logging.

Email Security Checker

See whether your domain is protected against email spoofing and impersonation. Get a graded report on your SPF, DKIM, DMARC, and MX records in seconds — with specific recommendations to fix any gaps. Built by Datastrive, a Chicago managed IT and cybersecurity provider.

  • Real-time DNS via Cloudflare
  • Specific fix recommendations
  • Works on any domain

What we check — and why each one matters

Email security isn’t one setting. It’s a stack of three DNS records that work together to stop attackers from forging email from your domain. If any layer is missing, attackers exploit the gap.

SPF

Sender Policy Framework

Tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. The first line of defense against direct spoofing — and the easiest to set up.

DKIM

DomainKeys Identified Mail

Cryptographically signs your outgoing email so the receiver can verify it really came from your domain and wasn’t tampered with in transit. Configured by your email provider.

DMARC

Domain-based Authentication

Tells receiving servers what to do when SPF or DKIM fails — and emails you reports about attacks against your domain. The most underused and most impactful of the three.

MX

Mail Exchange Records

The DNS entries that route incoming email to your mail provider (Google Workspace, Microsoft 365, etc.). Without correct MX records, you don’t receive email at all.

How to fix the most common email security gaps

If your report came back with warnings or fails, here’s the order that almost always makes sense for small and mid-sized businesses. Knock these out one by one.

  1. Set up SPF first — it’s the easiest win SPF is a single TXT record in your DNS. Most email providers give you the exact value to use. For Google Workspace it’s v=spf1 include:_spf.google.com -all. For Microsoft 365 it’s v=spf1 include:spf.protection.outlook.com -all. End it with -all (hard fail), not ~all, once you’re sure all your senders are covered.
  2. Enable DKIM in your email provider’s admin console You don’t write DKIM by hand — your provider generates the keys and tells you what DNS records to add. In Google Workspace it’s under Apps → Google Workspace → Gmail → Authenticate email. In Microsoft 365 Defender, it’s under Email & collaboration → Policies & rules → DKIM. Add the CNAMEs they give you, then enable signing.
  3. Deploy DMARC starting at p=none Add a TXT record at _dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. The p=none policy doesn’t block anything — it just collects reports so you can see who’s sending email as you. Run it for two to four weeks and review the reports.
  4. Move DMARC to p=quarantine, then p=reject Once your reports show only legitimate senders are passing SPF and DKIM, tighten the policy to p=quarantine (sends spoofed mail to spam folders) and eventually p=reject (blocks it outright). Most domains can reach p=reject within a couple of months.
  5. Use a DMARC report parser Raw DMARC reports are XML and unreadable. Free tools like Postmark’s DMARC Digests or paid platforms like dmarcian or Valimail aggregate them into something usable. You’ll quickly see which legitimate services need to be added to your SPF and DKIM setup.
  6. Add MTA-STS for transport security MTA-STS forces incoming email to your domain over encrypted connections, blocking downgrade attacks. It’s optional but increasingly expected on enterprise domains. Once SPF, DKIM, and DMARC are solid, this is the next step.

Frequently asked questions

What is email spoofing and why should I care?

Email spoofing is when an attacker sends email that appears to come from your domain — your CEO, your billing department, anyone. The receiving mail server has no built-in way to know whether the sender is legitimate. Without SPF, DKIM, and DMARC in place, attackers can impersonate your business with no friction.

The impact ranges from phishing your customers (a brand and trust problem) to wire fraud against your finance team (a direct financial loss). Business email compromise is consistently among the most expensive cybercrime categories tracked by the FBI’s IC3.

What’s the practical difference between SPF, DKIM, and DMARC?

SPF says: “These IP addresses are allowed to send email for my domain.” It checks the envelope sender (the technical From, not the visible one).

DKIM says: “I cryptographically signed this message — here’s the public key to verify it.” It proves the email content wasn’t tampered with and originates from a server holding your private key.

DMARC says: “If SPF or DKIM fails, here’s what to do (nothing, quarantine, or reject) — and email me reports about it.” It’s the policy and feedback layer that ties the other two together.

My DMARC says p=none. Is that safe?

Not really — p=none is monitoring only. It tells receiving servers to do nothing when an email fails authentication, just send you a report. That’s the right starting point for the first few weeks while you discover legitimate senders, but if you stay there indefinitely, you’re getting visibility without protection.

Move to p=quarantine as soon as your reports look clean, then to p=reject. Most domains can complete the journey in 4–8 weeks.

Why might DKIM show “not detected” if I have it set up?

DKIM records live at {selector}._domainkey.{yourdomain} — and the selector is whatever string your email provider chose. There’s no standard. Google Workspace uses google. Microsoft 365 uses selector1 and selector2. Your marketing tool might use k1 or something custom.

This tool probes the most common selectors used by major providers. If your provider uses a non-standard selector, we may not find it — but that doesn’t mean DKIM is broken. Check your provider’s admin panel to confirm.

Will tightening DMARC break my legitimate email?

It can, if you skip the p=none monitoring phase. The most common surprise is a third-party service sending email as your domain that you’ve forgotten about — an old marketing tool, a hosted form, an invoicing system. p=none exposes those before you start blocking.

Once your DMARC reports show only legitimate senders are passing, moving to p=quarantine and then p=reject is safe. The XML reports are critical here — do not skip reviewing them.

Is this tool reading or storing my domain data?

The checker runs entirely in your browser. The actual DNS lookups go through Cloudflare’s public 1.1.1.1 resolver (with Google DNS as fallback) — the same DNS-over-HTTPS service most modern browsers use natively. Your domain query is visible to the resolver in the same way any DNS lookup would be. Nothing is sent to Datastrive servers, logged, or stored.

Need help fixing what this tool found?

If your report came back with gaps in DMARC, DKIM, or SPF, we can deploy a complete email authentication setup — including DMARC monitoring and reporting — usually within two to four weeks. Datastrive is a Chicago managed IT and cybersecurity provider serving small and mid-sized businesses.

Talk to Datastrive →