Free Security Tool

Free Domain
Security Scanner

Enter any domain and instantly see your DMARC, SPF, DKIM, and BIMI configuration — the four email authentication protocols that prevent attackers from spoofing your domain and sending phishing emails in your name. 90% of cyberattacks start with email. Your domain score tells you how exposed you are.

90%Of cyberattacks begin with email
$2.9BLost to BEC email fraud annually (FBI IC3)
72%Of domains have misconfigured or missing DMARC
FreeNo sign-up required to scan
Powered by EasyDMARC

Scan Your Domain — Results in Seconds

Enter your domain name below. No account required. The scanner checks your DMARC, SPF, DKIM, and BIMI records and returns an instant security score with identified gaps.

Before you scan: Make sure the domain exists and is spelled correctly. Domains that don't resolve (typos, expired registrations) will return high-risk scores because we can't read their DNS records — this doesn't mean the domain is dangerous, just that we couldn't analyze it. Try the scan on your real business domain for an accurate posture report.

Domain scanner powered by EasyDMARC. Results are informational. For implementation support, contact Securafy.

Sample Report
See a full 6-page Securafy Advanced Domain Security Report — executive scorecard, detailed findings, business risk analysis, and AI remediation roadmap.
Download Sample Report →
What the Scanner Checks

Four Protocols That Protect Your Domain

Email authentication isn't optional anymore. Google, Microsoft, and Yahoo now require DMARC alignment for bulk senders — and cyber insurance carriers verify these controls at underwriting. Here's what each protocol does and why it matters.

DMARC
Domain-based Message Authentication
The policy layer that tells receiving mail servers what to do with email that fails authentication — monitor only (p=none), quarantine to spam (p=quarantine), or reject outright (p=reject). Without p=reject, anyone can spoof your domain.
Critical — Required by carriers
SPF
Sender Policy Framework
A DNS record that lists every server authorized to send email on behalf of your domain. When email arrives from an unlisted server, SPF fails. Missing or overly permissive SPF records are one of the most common domain security gaps.
Critical — Commonly misconfigured
DKIM
DomainKeys Identified Mail
A cryptographic signature added to outgoing email that verifies the message wasn't modified in transit and originated from an authorized source. DKIM must be configured for every service that sends email on your behalf — M365, Google Workspace, CRMs, marketing platforms.
High — Often missing for third-party senders
BIMI
Brand Indicators for Message Identification
Displays your brand logo in supported inboxes (Gmail, Apple Mail, Yahoo) when DMARC, SPF, and DKIM all pass. BIMI requires a verified mark certificate and a DMARC policy of p=quarantine or p=reject. It turns strong email authentication into brand visibility.
Medium — Brand trust signal
Why This Matters for Your Business

Your Domain Is Being Targeted Right Now

Every business domain is a potential attack vector. Without proper email authentication, attackers can impersonate your domain, send phishing emails to your customers and employees, and your business has no way to stop it or even know it's happening.

Business Email Compromise (BEC)

BEC attacks impersonate executives to trick employees into wire transfers or credential theft. Without DMARC enforcement, attackers spoof your CEO's exact email address. The FBI reports over $2.9 billion in annual BEC losses — and most victims had no email authentication in place.

Cyber Insurance Requirements

Major cyber insurance carriers now verify DMARC, SPF, and DKIM during underwriting and at renewal. Missing or misconfigured email authentication can result in denied BEC coverage — the exact scenario you're paying insurance to protect against.

Google & Microsoft Sender Requirements

Since February 2024, Google and Yahoo require DMARC alignment for all bulk senders. Microsoft followed with similar requirements. Organizations without proper authentication see deliverability issues — legitimate emails going to spam or being rejected entirely.

Compliance Framework Requirements

HIPAA, GLBA, CJIS, and CMMC all include requirements for protecting communications and preventing unauthorized access. Email authentication is increasingly cited in audit findings and examiner reports as a required technical control that organizations fail to implement.

Customer & Partner Trust

When attackers successfully spoof your domain to send phishing emails to your customers, the damage goes beyond the immediate attack. Your brand is associated with fraud. Customers lose trust. Even if you weren't breached, your domain was weaponized against the people who trust you.

Securafy Fixes This for You

Implementing DMARC, SPF, DKIM, and BIMI correctly requires identifying every email-sending service, configuring records without breaking existing mail flow, and monitoring authentication results to catch new gaps. Securafy manages email authentication as part of our SECURE-CARE and COMPLY-CARE tiers — properly configured, continuously monitored, and documented for compliance and insurance.

Remediation Guide

How to Fix the Most Common Domain Findings

Running the scan is step one. The harder part is fixing what it surfaces. Below is what to do for the four most common findings — SPF gaps, missing DKIM, weak DMARC, and absent MTA-STS.

Fix #1 — SPF Soft Fail or Missing Record

If your scan shows no SPF record or a soft-fail policy (~all), legitimate mail from third-party services (HubSpot, Mailchimp, Microsoft 365, your CRM) may be flagged as spam, and attackers can send mail "from" your domain with no resistance.

The fix

1. Inventory every service that sends email on your behalf. The list usually includes Microsoft 365 or Google Workspace, your CRM, your marketing platform, your transactional email provider, payroll, and any internal application.

2. Build an SPF record that includes each service's published SPF include. Example: v=spf1 include:_spf.google.com include:spf.mailgun.org include:hubspot.com -all.

3. Use -all (hard fail), not ~all (soft fail), once you've verified your mail flow is clean.

4. SPF records are limited to 10 DNS lookups. If you hit the limit, use a flattening service like EasyDMARC or PowerDMARC.

Fix #2 — DKIM Not Configured

DKIM signs outbound mail with a cryptographic signature receivers can verify. Without it, your mail can be modified in transit and attackers can forge messages from your domain.

The fix

1. Generate DKIM keys for each sending service. Microsoft 365 does this in the Defender admin center; Google Workspace does it in the Admin Console under Apps → Gmail → Authenticate email.

2. Publish the public key as a TXT record in DNS using the selector path the service tells you (for example, selector1._domainkey.yourdomain.com).

3. Enable signing on the sending service after the DNS record propagates (usually within an hour).

4. Verify with the advanced domain scanner that DKIM signatures pass.

Fix #3 — DMARC Set to p=none

DMARC at p=none means you're monitoring but not enforcing. Spoofed mail still gets delivered. This is fine as a temporary diagnostic state — but if you've been at p=none for more than 60 days, you're exposed.

The fix — progressive enforcement

1. Start at p=none with rua=mailto:dmarc@yourdomain.com to collect reports.

2. Review reports for 30 to 60 days. Identify any legitimate senders failing SPF or DKIM and fix them first.

3. Move to p=quarantine; pct=10 — only 10 percent of failing mail goes to spam. Watch for legitimate impact.

4. Increase pct in stages (10 → 25 → 50 → 100) over a few weeks.

5. Move to p=reject; pct=100 — failing mail is rejected outright. This is the only state that actually stops impersonation.

Done wrong, progressive enforcement bounces real customer email. Done right, it eliminates one of the most common phishing attack vectors against your business. Securafy's Email Security service handles the full enforcement progression with monitoring at each stage.

Fix #4 — MTA-STS Not Configured

MTA-STS forces inbound mail to be delivered over encrypted TLS connections, preventing downgrade attacks where an attacker intercepts mail before encryption. Most domains don't have it configured.

The fix

1. Publish a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with mode, mx records, and max_age.

2. Publish a DNS TXT record at _mta-sts.yourdomain.com declaring the policy ID.

3. Add a TLS reporting record at _smtp._tls.yourdomain.com to get failure reports.

4. Start in mode: testing for 30 days to verify nothing breaks, then move to mode: enforce.

If you handle regulated data in healthcare, financial services, or legal, MTA-STS is effectively required to meet modern compliance standards. Securafy's compliance services include full email authentication setup as part of the baseline posture.

Common Questions

Domain Scanner FAQ

The scanner checks your DMARC, SPF, DKIM, and BIMI records — the four email authentication protocols that prevent spoofing and phishing. DMARC tells receiving mail servers what to do with unauthenticated email. SPF lists which servers are authorized to send mail for your domain. DKIM cryptographically signs emails to verify they weren't tampered with. BIMI displays your brand logo in supported inboxes when all authentication passes.
DMARC prevents email spoofing — attackers impersonating your domain to send phishing emails to your customers, partners, or employees. Without DMARC enforcement (p=reject), anyone can send email that appears to come from your exact domain. Over 90% of cyberattacks start with a phishing email. DMARC is also required by cyber insurance carriers for BEC (Business Email Compromise) coverage, and by Google and Yahoo for bulk email delivery.
A strong domain security score requires all four protocols properly configured: SPF with no syntax errors covering all sending sources, DKIM configured for all services that send email on your behalf, DMARC at p=quarantine (at minimum) or p=reject (ideal), and BIMI for brand visibility. Many businesses fail DMARC entirely or have it set to p=none — monitoring only, with zero protection. Securafy implements and maintains all four protocols as part of our managed security services.
Yes — the domain scanner can check any publicly registered domain. This is useful for checking your own domain, verifying a vendor's email security posture, or checking a competitor's configuration. All DNS-based authentication records (DMARC, SPF, DKIM, BIMI) are publicly visible by design — they're intended to be checked by receiving mail servers worldwide.
If your domain scanner results show missing, misconfigured, or weak authentication records, contact Securafy for a free consultation. Properly implementing DMARC without breaking legitimate email flow requires careful analysis of all your email-sending services — M365, Google Workspace, CRM platforms, marketing tools, billing systems. We implement and maintain email authentication as part of SECURE-CARE and COMPLY-CARE, with ongoing monitoring to catch new gaps as your sending services change.

Your Domain Score Is the Starting Point.
Securafy Fixes What's Broken.

Most businesses discover they have DMARC set to p=none — monitoring without protection — or no authentication at all. Securafy implements and maintains DMARC, SPF, DKIM, and BIMI as part of our managed security services. Prevention-First. Compliance-Ready. Serving businesses nationwide.

Get Free Email Security Help Take the Cyber Risk Assessment
hello@securafy.com
(330) 906-8888
Columbus & Cleveland, Ohio — Serving All 50 States

FREE · 30 MINUTES · NO SALES PITCH

See Exactly Where You're Exposed.
Before an Attacker Does.

Our free 47-point network and security assessment gives you a prioritised remediation report in plain language — no obligation, no upsell.

Book a Free Strategy Call → (330) 906-8888

Soteria Award — Most Trusted MSP in North America 2024  ·  30-Day Risk-Free Trial  ·  10-Minute Response Guarantee