← All toolsLive DNS lookup

Domain Spoofability Score

See how easy it is to send email that appears to come from your domain. Scores from Critical to Low based on DMARC enforcement, SPF, and DKIM.

Live lookup, no account required. Monitor DMARC enforcement across all your sending sources.

See plans →

What makes a domain spoofable?

Email spoofing is the act of sending a message with a forged From header that makes it appear to come from a domain the sender doesn't control. DMARC is the mechanism that lets domain owners tell receiving servers what to do with mail that fails authentication checks. Without DMARC (or with DMARC set to monitoring mode), receiving servers deliver spoofed mail with no indication that anything is wrong. The spoofability score reflects how much enforcement is actually in place.

How the score is calculated

  • CriticalNo DMARC record. Receiving servers have no policy instruction for mail claiming to be from this domain. Spoofed messages are delivered freely.
  • HighDMARC published at p=none (monitoring only). Reports are generated but spoofed mail is still delivered. The policy instructs receivers to take no action.
  • MediumDMARC at p=quarantine or p=reject with partial enforcement (pct<100). Spoofed mail lands in spam rather than the inbox: reduced impact but not eliminated.
  • LowDMARC at p=reject with full enforcement. Receiving servers reject messages that fail authentication. Spoofed mail is blocked before it reaches recipients.

Frequently asked questions

My domain has SPF. Why is the score still Critical or High?
SPF alone does not prevent spoofing. SPF verifies the envelope sender (the return-path), not the From header that recipients see. An attacker can put your domain in the From header while using a different envelope sender. SPF passes but the message looks like it came from you. DMARC is what ties the From domain to the authentication result and gives receivers a policy to enforce.
What's the difference between High and Critical?
Critical means no DMARC record at all: receivers have nothing to check against. High means DMARC is published but set to p=none, which instructs receivers to collect reports but deliver everything. In practice, both result in spoofed mail reaching inboxes. Critical is worse because there is no monitoring visibility either.
I moved to p=reject but legitimate mail broke. What happened?
A sending source (an ESP, CRM, or transactional mail provider) wasn't properly aligned when you enforced the policy. DMARC alignment requires the From domain to match either the SPF envelope sender or the DKIM signing domain. If a sender uses its own envelope domain and hasn't set up DKIM signing for your domain, its mail fails alignment and gets rejected. Start at p=none, review your DMARC aggregate reports to confirm all senders are passing, then move to enforcement. See the email authentication checker to diagnose alignment issues.
Does this tool check subdomains too?
Enter any subdomain directly. DMARC has subdomain inheritance: if no record exists at _dmarc.sub.example.com, receivers fall back to the organizational domain policy at _dmarc.example.com. Subdomains can also be covered by the sp= tag in the parent record. This tool checks the record at the domain you enter. Verify subdomain coverage by entering each one directly.

Know your score. Know your senders.

A Low score requires that every sending source (your ESP, CRM, ticketing system) passes DMARC alignment. DMARCdrift shows you which sources are passing, which are failing, and what to fix before you can safely enforce.

Get started free →

Track spoofability over time as you harden your DMARC policy.

See plans →