Skip to main content
Skip to article content

Is My Domain Protected? How to Check If Your Email Domain Is Safe from Spoofing

By Ṣọ Email Security4 min read estimated reading time

Learn how to check if your email domain is protected against spoofing, phishing, and business email compromise using SPF, DKIM, and DMARC authentication records.

domain protectionDMARCSPFDKIMemail spoofingBECphishingbusiness email compromisesmall business securityfreelancer securitynonprofit cybersecurityemail authenticationDNS security

Is My Domain Protected? How to Check If Your Email Domain Is Safe from Spoofing

What Is the Quick Answer: Is My Domain Protected from Email Spoofing?

A domain is protected when it has three DNS records in place: SPF, DKIM, and DMARC. Without all three, anyone can send email that appears to come from your domain with no account access required. Check your status free in under three minutes at soemailsecurity.com.

What Does "Domain Protection" Mean in Email Security?

Domain protection in email security refers to the set of DNS-based controls that prevent unauthorized senders from impersonating your domain. These controls are published as text records in your domain's DNS and queried by receiving mail servers before deciding whether to deliver, quarantine, or reject an incoming message.

The three core standards are:

SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. It is defined in IETF RFC 7208.

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outgoing messages. Receiving servers verify the signature against a public key published in your DNS, confirming the message was not altered in transit. It is defined in IETF RFC 6376.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It tells receiving servers what to do when authentication fails: monitor only (p=none), send to spam (p=quarantine), or block outright (p=reject). NIST Special Publication 800-177r1 formally recommends DMARC deployment at enforcement level for all organizations.

A domain missing any one of these records is exposed to impersonation.

Why Does Domain Protection Matter? What Do the Statistics Show?

Email fraud is the costliest form of cybercrime tracked by U.S. law enforcement, and unprotected domains are the primary technical enabler.

The FBI's Internet Crime Complaint Center (IC3) reported that Business Email Compromise (BEC) caused $2.9 billion in verified losses in 2023, the highest of any crime category in the annual IC3 report. A significant share of BEC attacks involve direct domain spoofing, where the attacker sends email from the victim's exact domain address.

A 2023 analysis by Valimail found that more than 80 percent of global domains have no DMARC policy, leaving them open to impersonation with no technical barrier. An attacker can send email from your exact domain using free mail transfer software and no credentials.

The IRS has issued multiple public warnings about W-2 phishing campaigns and vendor payment redirect fraud, both of which routinely exploit domains with missing or unenforced authentication records. Freelancers, nonprofits, and small businesses are disproportionately targeted because they rarely audit their DNS configuration.

The cost of a misconfigured domain is not theoretical. It is measured in wire transfers that cannot be recalled.

How Does a Domain Spoofing Attack Actually Work?

Understanding the mechanics is the clearest argument for action.

Step 1: The attacker selects a target domain. Using a public DNS lookup, the attacker checks whether your domain has a DMARC enforcement policy. This takes seconds and requires no special tools.

Step 2: The attacker forges the "From" header. Free mail transfer agent software allows anyone to set any value in the "From" field. No login, no password, and no account at your domain is required.

Step 3: The spoofed email is delivered. If no DMARC enforcement policy exists, receiving mail servers have no instruction to block or flag the message. It lands in the recipient's inbox with your domain name displayed in the sender field.

Step 4: The recipient is deceived. The target sees a message that appears to come from a known contact at your organization. The attacker requests a wire transfer, updated banking details, or employee W-2 records.

Step 5: The fraud is completed. The FBI reports that fewer than 30 percent of BEC losses are recovered.

What Is a Real Example of a Domain Spoofing Attack?

In 2020, the FBI documented a case in which a U.S. nonprofit lost $1.75 million after an attacker spoofed the domain of a trusted construction vendor. The finance team received what appeared to be a routine invoice with updated wire transfer instructions. The vendor's domain had no DMARC record. The funds were transferred overseas and were not recovered.

This attack, classified as a vendor payment redirect scam by the FBI, is one of the most common BEC variants and one of the most preventable. A DMARC enforcement policy would have caused receiving mail servers to reject the spoofed message before it reached the inbox.

Detection Checklist: How Do I Know If My Domain Is Vulnerable Right Now?

Check each item using a free DNS lookup tool or the Ṣọ Email Security Domain Checker.

SPF

  • Does your domain have a TXT record beginning with v=spf1?
  • Does it list every service authorized to send on your behalf?
  • Does it end with ~all (soft fail) or -all (hard fail)?

DKIM

  • Is a DKIM public key published at a selector record such as default._domainkey.yourdomain.com?
  • Is the key length at least 2048 bits? NIST SP 800-177r1 recommends 2048-bit RSA as the minimum.

DMARC

  • Does a TXT record exist at _dmarc.yourdomain.com?
  • Is the policy p=quarantine or p=reject? A policy of p=none provides reporting only and offers no protection against spoofing.
  • Is a rua aggregate reporting address configured so you receive weekly summaries?

MX Records

  • Do your MX records point to your legitimate mail servers only?
  • Have any unexpected MX records appeared that could intercept inbound email?

Trust Aside: Ṣọ Email Security runs all domain checks locally inside your browser or app. Your domain name and results are processed on your device and are never transmitted to or stored on external servers.

Prevention Steps: How Do I Protect My Domain from Spoofing?

1. Publish a valid SPF record. Log in to your DNS registrar and add a TXT record that lists every platform authorized to send email on your behalf, including your mail host, CRM, billing software, and marketing platform.

2. Enable DKIM signing. Configure DKIM through your email provider (Google Workspace, Microsoft 365, or your hosting provider) and publish the public key in DNS. Use a minimum 2048-bit key.

3. Deploy DMARC at enforcement level. Start with p=none to collect reports without affecting mail flow. Move to p=quarantine within 30 days, then p=reject within 90 days once all legitimate sending sources are confirmed.

4. Monitor your DMARC aggregate reports. Reports reveal every source sending email from your domain, including unauthorized ones. Review them monthly at minimum.

5. Register and lock lookalike domains. Purchase common typographic variants of your domain and point them to parked pages with p=reject DMARC policies. This blocks a major BEC entry point at minimal cost.

6. Audit your DNS configuration quarterly. Domain authentication breaks silently when you add new tools or switch email providers. A quarterly check catches regressions before attackers do. The Ṣọ Email Security Domain Checker runs a full SPF, DKIM, and DMARC audit in your browser at no cost, with no data leaving your device.

AI-powered protection, zero data collection. That's the Ṣọ promise.

#EmailSecurity #DomainProtection #DMARC #SPF #DKIM #BEC #Phishing #CyberSecurity #SmallBusinessSecurity #Freelancers #Nonprofits #SoEmailSecurity