Skip to Content

Email spoofing test

Can anyone send an email pretending to be your company?

Find out in seconds, by reading your own domain's DNS, whether a scammer can impersonate you and deceive your clients. No sign-up.

Technical read on the spot, straight from your domain. Nothing is installed and no email is sent now. (Your domain is what comes after the @ in your address: in [email protected], the domain is company.com.)

Your Email Protection Scorecard appears here

Type your domain in the field above and click Check. The read is instant, no sign-up.

Fix plan

Get the exact records to close the door

The scorecard above is the diagnosis. We send the full report to your email: the list of all your domain's current records, the exact records still missing, and what each gap leaves open. A document to forward to whoever handles this in your company.

Send me my fix plan

Plan on the way.

We have sent your email protection report and the fix plan. If you like, a specialist will review your domain with you.

Sent to the email you provided.

As an automated, system-generated message, even with every sending precaution it may land in your spam or junk folder. If it does not arrive shortly, please check there.

Know someone who should see this result?

Send this same report to someone at your company who needs to see it. Enter their work email and we will send them the full result.

Send the report

Done. We've sent the report to that person.

Need to check another domain?

The check is free and unlimited. Bookmark the page and use it whenever you need, for any domain you manage.

Check another domain
Talk to a specialist

What is at stake

The scam that poses as the boss and approves a payment

Spoofing an email means sending a message with your company's name and address in the sender field, without ever entering your account. When the target is a transfer or a change of bank details, the scam has a name: business email compromise, or BEC.
How it happens

Finance receives an email “From: the director's name”, from an address that looks like the company's, asking: “wire this now, I closed with the supplier, I'll explain later”. The tone is the boss's, the urgency is real, and the destination account is new. The employee has no way of knowing the message was born on another server, on the other side of the world, because the domain does not block spoofing. The payment goes out. By the time the fraud surfaces, the money has already passed through three accounts.

It is the most expensive email-based fraud a company faces, and it starts in a sender field that nobody closed.

In 2024 alone, business email compromise caused about $2.8 billion in reported losses, and phishing and email spoofing together were the most reported cybercrime of the year (FBI, Internet Crime Report 2024). This is not an abstract risk: it is the scam that moves the most money out of companies today.

The trap

“I use Microsoft 365, so I'm protected”

It is the sentence that leaves the door open. Microsoft 365's protection looks after your inbox. Spoofing happens at your domain's authentication, and the scam lands in your clients' inboxes, with your name in the sender field.

“Microsoft already filters what reaches me.”

It does. But spoofing is not about what you receive, it is about what others send using your name to deceive your clients and suppliers. That email never passes through your inbox.

“I have antivirus and a spam filter, I'm covered.”

They look at suspicious attachments and links. None of that stops another server from writing your domain in the “From:” field. Only domain authentication (SPF, DKIM and DMARC) does.

“My company is small, no one will imitate me.”

The attacker does not pick by size, it picks by the open door. An unprotected domain is an automatic target, because it is cheap and it works. The name it borrows for the scam is yours.

Microsoft 365 is, in fact, a favorite target precisely because of the sheer number of companies that trust it. The missing layer is not inside it: it is in your domain's records.

The three keys

What closes the door to spoofing

Three records in your domain's DNS, working together, decide whether a scammer can send email in your name. This is exactly what the test above reads.

SPF

The list of who may send for you

SPF is the official list of servers authorized to send email on behalf of your domain. The receiver checks the message's origin against that list.

In practice: the list must end in a hard refusal of the unauthorized, otherwise many filters ignore the failure and let it through.

DKIM

The seal that proves the email is yours

DKIM signs each message with an invisible seal, verified against a key published on your domain. It confirms the content truly came from you and was not tampered with.

In practice: it uses a selector and a public key in DNS. Without it, there is no way to prove the message is authentic.

DMARC

The rule that orders rejection, and warns you

DMARC is the decisive key: it tells the world what to do when an email fails SPF and DKIM, and it delivers the report of who has been trying to spoof you.

In practice: the policy must reach reject. It is by far the most effective way to stop the boss-impersonation scam at the domain level.

The answer

Managed email security: the door closed, and kept closed

Publishing three records once does not solve it. Email changes, new services start sending for you, and spoofing stays blocked only if authentication is maintained and the reports are read.

Authentication that closes and stays closed

We set up SPF, DKIM and DMARC up to the reject policy, and we read for you the reports of who tries to spoof you. The door stays closed, and each new attempt becomes an alert, not a surprise on the statement.

Filtering and 24-hour continuity

A layer that blocks phishing before the inbox, with accuracy close to 100% (vendor figure), and keeps your email up even when the server goes down. You keep working, with everything logged and recoverable, including email deleted from Microsoft 365.

What's included in Managed Email Security

  • Your domain's authentication set up and kept at reject, with the reports of who tries to pass as you read for you.
  • Anti-phishing filtering at the gateway, blocking the threat before the inbox.
  • 24-hour continuity: your email up even when the provider's server goes down.
  • Archiving that recovers deleted email, including what vanished from Microsoft 365.

A single owner for your email chain

Instead of splitting the blame among the provider, the filter and whoever touched the DNS, Zamak owns the whole chain: authentication, filtering, continuity and the report of what tried to get through. One conversation, one predictable invoice, and a team that operates alongside yours, not in its place.

We operate with tools certified in SOC 2 Type II, ISO 27001, HIPAA and PCI-DSS, as a Microsoft Solutions Partner and members of the Addee Elite Group, with 15 years protecting companies that cannot stop. The filtering statistics cited are the platform vendor's (Virus Bulletin).

If nothing changes

The open door gives no warning before the scam

While the domain stays without the rule that rejects spoofing, any day an email “in your name” lands in a client's inbox, or your own finance team pays an invoice that looked legitimate. The direct loss comes as money that does not come back. The indirect one, more expensive, is the client deceived using your company's name.

Protection takes little time to go up and starts blocking fraud from day one. Building it now costs a configuration. Building it on the day of the scam costs the whole fraud, plus the conversation explaining why the door was open.

Check my domain now

Defensibility: the check reads your domain's public records (fact, not opinion) and the verdict follows the technical criterion of DMARC as a rejection control. No domain is declared “100% safe”: closing the door to spoofing is what is within reach, and it is what we deliver.

Frequently asked

Email spoofing, answered plainly

It is sending a message with your company's name and address in the sender field, without ever accessing your account. The scammer does not break into your email: it simply writes your domain in the “From:”. Without correct authentication in DNS, the recipient has no way of knowing the message is fake.

It protects your inbox against what arrives. It does not stop another server from sending email using your domain to deceive others. That protection lives in domain authentication (SPF, DKIM and DMARC), set up in DNS records, not inside Microsoft 365.

DMARC is the record that tells the world's servers what to do when an email fails the authenticity checks: allow, quarantine or reject. When it orders rejection, spoofing of your domain is blocked at the source, and you still receive the report of who tried. It is the most effective defense against the boss-impersonation scam (BEC).

By publishing the three records correctly: SPF with a hard refusal of the unauthorized, DKIM with the signing key, and DMARC evolving up to the reject policy, with continuous reading of the reports. It is work that needs care so legitimate email is not blocked along the way. Zamak runs this setup and maintains it.

The records go up fast and start to take effect within hours. The path to full rejection is usually done in stages, watching the reports to make sure no legitimate email is blocked. Leading security bodies recommend DMARC precisely because it is the most direct countermeasure against spoofing.

Share this domain check with someone who needs it

In seconds, anyone can check whether a domain is protected against email spoofing. Share it on your networks or send it to someone directly.

LinkedInWhatsAppFacebookE-mail

Close the door

See who may be using your name, and stop it

The test shows today's snapshot. Zamak closes the door and keeps it closed: authentication, filtering and continuity for your email, with a single owner.

Talk to an email security specialist

We review your domain with you and map the path to a closed door.

Book a conversation

Who in your company would fall for a scam?

Assess how your team reacts to the attacks that arrive by email, from phishing to the boss-impersonation scam.

Take the phishing test

Free exposure assessment

A quick picture of where your company is most exposed, beyond email.

Start the assessment

Free check. The read uses your domain's public records and sends no email.