Is Your Domain Protected
Against Email Spoofing?
3.4 billion spoofed emails sent every day. Check your DMARC, SPF, and DKIM records in seconds — free.
3.4B
spoofed emails sent every day
94%
of cyberattacks start with email
20%
of DMARC domains still set to p=none
£4.2M
average cost of a phishing breach
What We Check — And Why It Matters
Three DNS records. Three layers of protection. All working together to stop attackers from impersonating your domain.
The enforcement layer
DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers what to do when an email fails authentication — monitor it, quarantine it, or reject it outright. Without DMARC, spoofed emails from your domain land straight in inboxes.
Example record
v=DMARC1; p=reject; rua=mailto:reports@yourdomain.comThe sender allowlist
SPF
SPF (Sender Policy Framework) is a DNS record that lists every server authorised to send email on behalf of your domain. If a message comes from a server not on that list, receiving servers know it's likely fraudulent.
Example record
v=spf1 include:_spf.google.com ~allThe digital signature
DKIM
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server checks that signature against a public key in your DNS. If it matches, the email hasn't been tampered with in transit.
Example record
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B…How It Works
Three steps. Under 10 seconds.
Enter your domain
Type your domain name — no www, no https. Just the domain, e.g. yourcompany.com.
We query DNS live
We check your DMARC, SPF, and DKIM records directly against Google's DNS resolver in real time. No caching, no stale data.
Get a risk score
You'll see a clear pass/fail for each protocol, a risk rating, and specific instructions on what to fix and how.
Frequently Asked Questions
The things people ask us most about DMARC checking.
Is this tool completely free?
Yes. No account, no credit card, no limits. Just enter your domain and get an instant analysis.
Why can't you detect my DKIM automatically?
DKIM uses a named 'selector' that your email provider chooses — and there are thousands of possible selectors. We probe the most common ones (Google, Microsoft, Mailchimp, etc.) automatically. If we don't find yours, it just means your provider uses a custom name. Enter your selector in the results panel to verify it.
My DMARC is set to p=none — is that a problem?
Yes, eventually. p=none puts DMARC in monitoring-only mode — it generates reports but takes no action against spoofed emails. It's a fine starting point while you audit your sending sources, but you should move to p=quarantine then p=reject once you're confident your legitimate email is aligned.
What's the difference between ~all and -all in SPF?
~all is a soft fail — it marks failing emails as suspicious but still delivers them. -all is a hard fail — it instructs receiving servers to reject them outright. For maximum protection, use -all once you've confirmed all your sending sources are included in your SPF record.
How often should I check my DMARC record?
Every time you add a new sending service (a new email marketing tool, CRM, ticketing system, etc.) your SPF and DKIM need updating — and your DMARC reports will tell you when something is misaligned. Dmarclytics monitors this automatically 24/7 so you're not manually re-checking.
Checking Once Isn't Enough
Every time you add a new email tool, your DMARC alignment can break — and you won't know until it's too late.
Dmarclytics monitors your DMARC, SPF, and DKIM 24/7, parses your aggregate reports, and alerts you the moment something goes wrong.
No credit card · Free plan available · Setup in 2 minutes