See which servers a domain authorizes to send email, and whether the policy is strict enough to matter.
Free and anonymous. No account required.
This reads the SPF TXT record on the domain and parses its mechanisms and final 'all' qualifier (-all hardfail, ~all softfail, ?all/+all).
SPF declares which servers may send mail for a domain. A softfail or missing record weakens the protection DMARC relies on, leaving room for spoofing.
A live DNS-over-HTTPS query retrieves the record; a deterministic parser classifies it strong, weak, or missing with recommendations.
One that ends in '-all' (hardfail), so unauthorized senders are rejected rather than merely flagged.
No. SPF and DKIM are inputs to DMARC, which decides what to do when they fail. You want all three.
Connect your inbox and InboxWatch watches for these threats automatically. Free for your first 15 scans.
Connect your inbox