Run Your Check SPF DKIM DMARC FAQ Free IT Checkup

Free Tool · No Account Required · Instant Results

Is Your Business Domain Protecting You — or Exposing You?

Enter your domain below and find out in seconds whether attackers can send emails pretending to be your business, whether your emails are landing in spam, and what's missing from your email security setup.

96%of phishing attacks arrive by email

91%of cyberattacks start with email

MostIndiana SMBs have gaps in all 3 protocols

Check My Domain NowFree · No account required Learn What We Check ↓

Checks SPF, DKIM, DMARC & BIMI

Results in seconds

No account required · Completely free

Trusted by 175,000+ domains worldwide

Why This Tool Exists

Your Domain Is Either Protecting Your Business — or Leaving It Wide Open

Most Indiana business owners assume that because they have a business email address — yourname@yourcompany.com — their email is secure. The reality is that having a domain name doesn't automatically protect it. Without proper configuration, anyone in the world can send an email that looks like it came from your business domain.

This is called email spoofing, and it's the foundation of the majority of business email compromise (BEC) attacks. An attacker sends an email to your employee, your client, or your vendor — appearing to come from your address — asking them to wire money, share credentials, or click a malicious link. The recipient trusts it because it looks like it's from you.

Three email authentication protocols — SPF, DKIM, and DMARC — are the technical defenses that prevent this. Together, they verify that emails claiming to come from your domain actually did. Without all three properly configured, your domain is exposed — and most Indiana businesses have gaps in at least one of them.

Real-world example: A vendor receives an email from graham@ma3sp.technology asking for a wire transfer to a new bank account. The email looks authentic — right name, right logo, right signature. But it was sent by an attacker who spoofed the domain. Without DMARC enforcement, that email reaches the inbox every time. With proper DMARC configuration, it's rejected before anyone ever sees it.

Your Domain Can Be Spoofed

Without DMARC enforcement, attackers can send emails that appear to come from your exact domain to anyone in the world — employees, clients, vendors — with no technical barrier stopping them.

Your Emails May Be Landing in Spam

Missing or misconfigured SPF and DKIM records cause legitimate emails from your domain to be flagged as suspicious by Gmail, Outlook, and other providers — landing in spam instead of inboxes.

Business Email Compromise Is Growing

BEC attacks cost businesses over $2.9 billion annually. The attack doesn't require malware — just a spoofed email that looks legitimate. DMARC stops the spoofed email from ever being delivered.

Google & Yahoo Now Require These Records

Since February 2024, Google and Yahoo require SPF, DKIM, and DMARC for bulk senders. Businesses without proper records face increasing deliverability problems — and stricter enforcement is coming.

Your Domain Reputation Is an Asset

Years of sending email from your domain builds a reputation with inbox providers. A single spoofing attack or blacklisting event can damage that reputation and affect deliverability for months.

Layer 1 of Email Authentication

What Is SPF — and Why Does Your Business Need It?

SPF stands for Sender Policy Framework. It's a DNS record that tells the world which email servers are authorized to send email on behalf of your domain. Think of it like a guest list for your email.

When someone receives an email claiming to come from yourname@yourcompany.com, their email server checks your SPF record: "Is this email coming from a server that's authorized to send for this domain?" If yes, the email passes. If no — if the email is coming from an unauthorized server — the receiving server knows something is wrong.

Without an SPF record, receiving email servers can't verify whether emails from your domain are legitimate. This makes your domain significantly easier to spoof, and many providers will mark your legitimate emails as suspicious because they can't confirm they came from an authorized source.

SPF alone isn't enough — it works best when combined with DKIM and DMARC — but it's the essential first layer of your email authentication stack.

How SPF Works — Step by Step

Your business sends an email

An email is sent from your Microsoft 365 or Google Workspace account claiming to be from yourname@yourdomain.com.

Recipient server checks your SPF record

The receiving server looks up your domain's SPF record in DNS to see which servers are authorized to send email for you.

It compares the sending server's IP

The server compares the IP address of the server that sent the email against the list in your SPF record.

Pass or Fail

If the sending server is on your authorized list, SPF passes. If not, SPF fails — signaling a potential spoofing attempt.

✓ SPF Pass: Email is from an authorized server. Proceeds to DKIM and DMARC checks.

⚠ SPF Fail: Email is from an unauthorized server. Receiving server may reject or flag as suspicious.

Layer 2 of Email Authentication

What Is DKIM — the Digital Signature on Your Emails?

DKIM: A Digital Wax Seal on Every Email

Think of DKIM like a wax seal on a medieval letter. When you send a letter, you press your unique seal into wax to prove the letter came from you. If someone intercepts and tampers with the letter, the seal breaks. The recipient can verify the seal matches yours and hasn't been broken.

DKIM does the same for email — using cryptographic key pairs instead of wax seals. Every outgoing email from your domain gets a unique digital signature. If the email is tampered with in transit, the signature fails.

🔒 Private Key

Stored securely on your email server. Used to sign every outgoing email. Never shared publicly.

🔓 Public Key

Published in your domain's DNS. Anyone can use it to verify your email signature. Accessible to all.

DKIM stands for DomainKeys Identified Mail. It adds a cryptographic digital signature to every outgoing email from your domain. This signature proves two things: (1) the email was actually sent from your domain, and (2) the content of the email wasn't altered between when you sent it and when it was received.

Unlike SPF, which verifies the sending server, DKIM verifies the email's content and origin together. This makes it a critical second layer of protection — especially important because SPF can fail in legitimate scenarios like email forwarding, where DKIM continues to work correctly.

When a recipient's server receives your email, it retrieves your public DKIM key from DNS and uses it to verify the signature on the email. If the signature matches, the email is confirmed legitimate. If the signature fails or is missing, it's a red flag — the email may have been forged or tampered with in transit.

Most modern email platforms (Microsoft 365, Google Workspace) support DKIM natively, but it must be properly configured for your domain. Many Indiana businesses have email platforms that could sign emails but haven't had DKIM properly enabled and verified — leaving a gap in their protection.

Layer 3 of Email Authentication — The Enforcer

What Is DMARC — and Why Is It the Most Important Layer?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's the third and most powerful layer of email authentication — and the one that actually enforces the rules set by SPF and DKIM.

Here's what DMARC does that SPF and DKIM alone can't: it tells receiving email servers what to do with emails that fail authentication checks. Without DMARC, even a failed SPF or DKIM check might still result in the email being delivered. DMARC gives you control over what happens to those failed emails.

DMARC also gives you visibility. When configured with reporting, DMARC sends you regular reports showing who is sending email using your domain — both legitimate sources and unauthorized ones. This is how you find out if someone is actively trying to spoof your domain.

p=none — Monitor Only

Observe — No Enforcement

Emails that fail authentication are still delivered. DMARC only collects reports. Good for initial monitoring, but provides no protection. Most businesses start here and need to advance quickly.

p=quarantine — Intermediate

Failed Emails Go to Spam

Emails failing authentication are sent to the recipient's spam or junk folder rather than their inbox. Provides partial protection — spoofed emails are less likely to be seen but still arrive.

p=reject — Full Enforcement ✓

Failed Emails Are Rejected Entirely

Emails failing authentication are rejected outright before reaching the recipient. This is full DMARC enforcement — the goal for every Indiana business that wants complete domain spoofing protection.

📊 DMARC Reporting

When DMARC is configured with reporting (rua= tag), you receive aggregate reports from major email providers showing exactly who is sending email using your domain — your own servers, third-party services you've authorized, and anyone attempting to spoof you.

🔗 Alignment: Where DMARC Gets Powerful

DMARC checks "alignment" — ensuring the domain in your email's visible "From" header matches the domain verified by SPF or DKIM. This is what prevents sophisticated spoofing attacks that pass SPF alone by sending from a different domain.

📄 Google & Yahoo's 2024 Mandate

Since February 2024, Google and Yahoo require DMARC for bulk senders (5,000+ emails/day). More importantly, even businesses sending lower volume face stricter deliverability enforcement. DMARC is no longer optional for businesses that rely on email.

☛ SPF + DKIM + DMARC Work Together

Each layer does something the others can't. SPF verifies the sending server. DKIM verifies the email's content integrity. DMARC enforces the rules and reports on violations. All three are required for complete protection — which is exactly what the checker above assesses.

Free Domain Health Check

Check Your Domain's Email Security Score Right Now

Enter your business domain below. The scanner checks your SPF, DKIM, DMARC, and BIMI records and returns an instant security risk score — trusted by 175,000+ domains worldwide.

🟢 Low Risk

SPF, DKIM, and DMARC are configured and functioning. Your domain has solid email authentication. Periodic monitoring recommended to stay ahead of emerging risks.

🟠 Medium Risk

Notable SPF, DKIM, or DMARC issues detected. Potential risk of email spoofing. Ma3SP recommends prompt remediation to strengthen your email security posture.

🔴 High Risk

Critical vulnerabilities found. Your domain can likely be spoofed right now. Urgent action required. Contact Ma3SP and we'll address every gap — fast.

What Happens Next

Your Score Tells You Where You Stand. Ma3SP Fixes What's Missing.

Most Indiana businesses we check have at least one gap — and many have all three missing or misconfigured. The good news: every one of these issues is fixable. SPF, DKIM, and DMARC are DNS record changes — once properly configured and tested, they protect your domain continuously with no ongoing action required from your team.

Here's what Ma3SP does when gaps are found in your domain's email security. These aren't recommendations we hand you in a report and walk away from — we implement everything:

SPF

SPF Missing or Misconfigured

We write a correct SPF record listing all your authorized email sending sources (Microsoft 365, Google, marketing tools, etc.) and publish it to your DNS. We test it and verify it passes.

DKIM

DKIM Not Enabled or Invalid

We enable DKIM signing in your email platform and publish the public key to your DNS. For Microsoft 365, this involves generating keys in the Defender portal and adding TXT/CNAME records to your DNS zone.

DMARC

DMARC Missing or at p=none

We create your DMARC record with reporting configured, start you at p=none to gather data, then advance to p=quarantine and p=reject enforcement as your email ecosystem is mapped and verified — safely, without breaking legitimate email delivery.

ALL 3

Ongoing Monitoring Included

Once all three records are in place and enforced, we include DMARC report monitoring in our managed IT support so you're alerted to new spoofing attempts or configuration drift before they become problems.

Found Issues? We Fix All of This.

Whether your domain came back with a red score, a yellow warning, or you simply want someone to verify your setup is correct — Ma3SP configures and manages email authentication for Indiana businesses as part of both our standalone cybersecurity services and managed IT support.

The free IT checkup covers your email security as one of its 12 review areas — giving you a complete picture alongside your other security gaps, not just email in isolation.

Get a Free IT & Email Security Checkup12-point review · Plain-language report · No pitch Call 574.903.7119 to Talk Through Your ResultsDirect line to Graham · Mon–Fri 8AM–6PM

What We Find Most Often

The Most Common Email Security Gaps in Indiana Small Businesses

These are the issues Ma3SP finds most frequently when reviewing email security for Indiana businesses — and what each gap actually means for your domain's protection.

SPF No SPF Record at All

The most basic gap — the domain has no SPF record in DNS. This means receiving email servers have no way to verify whether emails from this domain are authorized. Any server in the world can send email claiming to be from this domain.

→ Fix: Create and publish an SPF record listing all authorized sending sources (M365, Google, marketing tools, etc.)

SPF SPF Record Has Too Many DNS Lookups

SPF records are limited to 10 DNS lookups. Businesses using multiple email platforms (M365 + marketing automation + CRM + transactional email) often exceed this limit, causing SPF to return a "permerror" and fail — even though the sending source is legitimate.

→ Fix: Flatten the SPF record by converting domain lookups to IP addresses, or use SPF macros to stay within limits

DKIM DKIM Not Enabled on Email Platform

Microsoft 365 and Google Workspace support DKIM, but it must be explicitly enabled for each domain. Many businesses are using these platforms for years without ever enabling DKIM — all outgoing emails are unsigned and cannot be verified for authenticity.

→ Fix: Enable DKIM signing in Microsoft 365 Defender or Google Workspace Admin, publish the public DKIM key to DNS

DKIM Expired or Invalid DKIM Keys

DKIM keys can become invalid if a domain DNS record is not updated when changing email platforms, rotating keys, or adding sending services. Old or invalid keys cause DKIM failures even when DKIM is technically enabled.

→ Fix: Audit all DKIM selectors in DNS, verify keys match active signing configurations, remove outdated keys

DMARC No DMARC Record — Domain Can Be Freely Spoofed

The most dangerous gap. Without a DMARC record, there is zero enforcement on what happens to emails that fail SPF and DKIM. Spoofed emails can reach any inbox with no technical barrier. This is the situation most Indiana businesses are in.

→ Fix: Create a DMARC record starting at p=none with rua reporting, then advance to p=quarantine and p=reject

DMARC DMARC Stuck at p=none — No Enforcement

Many businesses have a DMARC record but left it at p=none — the monitoring-only policy. This means spoofed emails are still delivered to inboxes. The business receives reports but has no actual enforcement protecting recipients.

→ Fix: Review DMARC aggregate reports, verify all legitimate sending sources pass, advance policy to p=quarantine then p=reject

All Layers Legitimate Emails Going to Spam

When SPF fails, DKIM is missing, or DMARC isn't configured, many email providers flag legitimate emails as suspicious and route them to spam or junk. This directly impacts business communication, invoice delivery, and marketing effectiveness.

→ Fix: Correctly configure all three protocols, then verify deliverability across major providers (Gmail, Outlook, Yahoo)

DMARC Missing or Misconfigured rua= Reporting Tag

Without the rua= reporting tag in your DMARC record, you receive no aggregate reports — meaning you're blind to who is sending email using your domain. You won't know if your domain is being actively spoofed until damage is done.

→ Fix: Add a valid rua= email address to your DMARC record; configure DMARC reporting and monitor reports monthly

FAQ

Email Deliverability & Domain Security Questions Indiana Businesses Ask

Yes — and it's easier than most business owners realize. Without DMARC enforcement on your domain, any person anywhere in the world can send an email that appears to come from your exact email address. Their email client might show "From: yourname@yourbusiness.com" with no visible indication it wasn't sent from your account. This is called email spoofing, and it's the foundation of business email compromise (BEC) attacks. DMARC with p=reject policy tells receiving email servers to reject those spoofed emails before they ever reach anyone's inbox.

The most common technical causes of legitimate emails landing in spam are: missing or misconfigured SPF record (the receiving server can't verify your sending source is authorized), missing DKIM signature (the email isn't cryptographically verified), missing or unenforced DMARC record (no policy tells providers what to do with suspicious emails), or a damaged domain reputation from a past spoofing attack or blacklisting. The domain checker above will identify which of these apply to your domain. Ma3SP fixes each one as part of our cybersecurity and managed IT services.

SPF (Sender Policy Framework) verifies that your email is coming from an authorized sending server — it's a list of servers allowed to send on your behalf. DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to every outgoing email, proving it came from your domain and wasn't altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together — it tells receiving servers what to do when emails fail those checks (allow, quarantine, or reject) and sends you reports about who is using your domain to send email. All three work together; none of them alone is sufficient.

Partially. Both platforms provide default SPF records and default DKIM signing, but "default" is not the same as "correctly configured for your domain." Microsoft 365 requires you to manually enable custom DKIM signing for your domain in the Defender portal and add the DKIM CNAME records to your DNS — this is not done automatically. DMARC must be created and published by you regardless of which platform you use. Additionally, if you use any third-party tools to send email (marketing automation, CRM, invoicing software, transactional email services), each one needs to be added to your SPF record and may need its own DKIM configuration.

Not if done correctly — and this is why the implementation process matters. The safe approach starts with DMARC at p=none (monitor only) while collecting aggregate reports that show every source sending email using your domain. Once all legitimate sources are identified and verified (your email platform, marketing tools, CRM, invoice software, etc.), we advance the policy to p=quarantine and then p=reject. Jumping straight to p=reject without first mapping your email ecosystem can interrupt legitimate email delivery. Ma3SP manages this process carefully to ensure no legitimate email is affected during enforcement.

BIMI (Brand Indicators for Message Identification) is an emerging email standard that allows your company logo to appear next to your emails in Gmail, Apple Mail, Yahoo, and other supporting inbox providers. It requires DMARC enforcement (p=quarantine or p=reject) as a prerequisite, plus a Verified Mark Certificate (VMC) for some providers. BIMI is included in the scanner because it represents the highest level of email authentication maturity — and because it significantly increases email open rates and brand trust by visually confirming your emails are verified. It's not required for protection, but it's the next step for businesses that want maximum inbox visibility.

Once you have SPF, DKIM, and DMARC properly configured and enforced, the records themselves are stable and don't need frequent checking. However, your email environment changes over time: you add a new marketing tool that sends email, you change email platforms, a DKIM key rotates, or a new third-party service needs to be added to your SPF record. Any of these changes can break authentication. Ma3SP includes DMARC report monitoring in managed IT support, which catches configuration drift and new spoofing attempts continuously — rather than relying on periodic manual checks.

For most Indiana businesses, creating and publishing SPF, DKIM, and DMARC records can be completed within one business day once we've assessed your email environment. DNS propagation typically takes a few hours after the records are published. The longer process is advancing DMARC from p=none to p=reject enforcement, which involves reviewing aggregate reports over several weeks to ensure all legitimate sending sources are captured — but your domain is progressively more protected throughout that process, not left unprotected while we work. Book the free IT checkup and we'll assess your situation and give you a specific timeline.

DMARC specifically protects your domain from being used to spoof others — it prevents attackers from sending email that appears to come from yourcompany.com to your clients, vendors, and partners. It does not protect your employees from receiving phishing emails sent from other domains that aren't you. Protecting your team from incoming phishing requires email filtering, anti-phishing tools, and security awareness training — all of which are part of Ma3SP's cybersecurity services. Email authentication and inbound email security work together as complementary layers of protection.

The domain scanner on this page is powered by EasyDMARC's free Domain Scanner tool, which checks your SPF, DKIM, DMARC, and BIMI records with no account required to run a check. EasyDMARC is a trusted email security platform used by over 175,000 domains worldwide. The scan itself is completely free — you enter your domain, the tool checks your DNS records against best practices, and returns a security risk rating with specific findings. Ma3SP embeds this tool as a free resource for Indiana businesses to understand their email security posture. If your results show gaps, the follow-up consultation with Ma3SP is also free.