Can your domain be spoofed? How to test it
· spoofing · dmarc · spf · dkim · email
spoofingdmarcspfdkimemailYour domain is spoofable if it does not publish an enforced SPF policy and a DMARC record set to p=quarantine or p=reject. To test it, check three things: an SPF record ending in -all or ~all, a DMARC record at _dmarc.yourdomain with a policy stronger than none, and DKIM signing that aligns with your domain. If DMARC is missing or set to p=none, anyone can put your exact domain in the From: header and most receivers will deliver it.
The three checks that decide it
Spoofability is not a vibe — it is the state of three DNS records. Run all three with dig:
dig +short TXT example.com # look for the SPF record
dig +short TXT _dmarc.example.com # the DMARC policy
dig +short TXT selector._domainkey.example.com # a DKIM key
An SPF record lists who may send for you and ends with a qualifier. The two safe endings are -all (hard fail — reject everything else) or ~all (soft fail — mark as suspicious). A record ending in +all or ?all, or no SPF at all, leaves the gate open.
Why p=none means you are still spoofable
This is the trap. A DMARC record like v=DMARC1; p=none; rua=mailto:... looks like protection and is not. p=none is monitor-only: it asks receivers to send you aggregate reports but tells them to deliver failing mail anyway. An attacker forging your domain sails straight through. Only p=quarantine (route to spam) or p=reject (bounce at the SMTP edge) actually stops the forged message from landing.
If your dig on _dmarc returns nothing, or returns p=none, treat your domain as openly spoofable today.
The fix: SPF then DKIM then DMARC, ramped to reject
Build the stack in order. Publish a tight SPF record ending in -all. Enable DKIM signing on every legitimate sending service so the d= tag matches your domain. Then publish DMARC, starting at p=none only to read reports and catch forgotten senders, and ramp through p=quarantine; pct=10 up to p=reject. The destination is p=reject — anything short of enforcement is just telemetry.
What reject does not fix
Even at p=reject, only your exact domain is locked down. Two attacks survive: display-name spoofing (the From: shows "Your Bank" but the address is [email protected] — DMARC never inspects the friendly name) and lookalike domains (exampIe.com with a capital I, or example-support.com). If you are at p=reject and still seeing impersonation, those are the usual culprits — see why you can still get spoofed at p=reject.
Don't guess at your posture from memory. Records drift, ESPs change, and a single typo silently voids a policy.
Test whether your domain can be spoofed →
Further reading
- What is DMARC? (and how to check if yours is configured correctly)
- Email deliverability checklist: SPF, DKIM, and DMARC in order
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance