Quick answer: If your domain doesn't enforce DMARC, it's almost certainly spoofable — anyone can send
email that looks like it came from [email protected]. The fastest way to know for sure is to test it.
Run a free spoofing test — it checks your SPF, DKIM and DMARC in seconds and tells you, in plain English,
whether your domain can be impersonated.
What makes a domain spoofable
Email lets anyone type any address in the "From" field. The only thing that stops abuse of your domain is a DMARC policy set to enforce, backed by valid SPF and DKIM. Without it, receiving servers have no instruction to reject the fake, so it lands in inboxes wearing your name.
What your test result means
| Your DMARC | Spoofable? |
|---|---|
| No DMARC record | Yes — fully open to spoofing |
p=none (monitoring only) | Yes — reports but doesn't block |
p=quarantine | Mostly — fakes go to spam |
p=reject | No — fakes are blocked |
If your result is "spoofable", it doesn't mean you've been hacked — just that nothing currently stops someone forging your address.
How to lock it down
- Make sure SPF and DKIM are valid for your real mail.
- Publish a DMARC record and move it from
p=nonetoquarantine, thenrejectonce your senders pass. - Re-test to confirm your domain is no longer spoofable.
FAQ
How can I test if my domain is spoofable for free?
Scan your domain with Kalenfy — it checks SPF, DKIM and DMARC and tells you instantly whether you're protected, with no signup to see the result.
If I'm spoofable, have I been hacked?
No — spoofing forges your address without any access to your account. But you should still lock it down with DMARC so it can't be abused.
How long does it take to stop being spoofable?
As soon as an enforced DMARC record propagates — minutes to hours — receivers start rejecting fakes.
Found out you're spoofable? Scan your domain, then reply to your report — we're developers and we'll set
up DMARC to reject and make your domain spoof-proof for you.