Free Email Impersonation Test

Can Hackers Send Email
As Your Company?

Find out in seconds. We check the three critical settings that stop criminals from sending fake emails using your company's name — the same trick behind 91% of cyberattacks.

Testing your domain for impersonation vulnerabilities...

--
SPF Sender Policy Framework

    DKIM DomainKeys Identified Mail

      DMARC Domain-based Message Authentication

        Want This Fixed For You?

        Cyvatar configures and monitors your email impersonation protection automatically — so hackers can never send email as your company.

        Talk to an Expert →

        How Hackers Spoof Your Email

        This is exactly what happens when someone impersonates your company — step by step.

        🎭

        Step 1. Hacker Picks Your Domain

        They choose your company's email address — ceo@yourcompany.com — and set it as the "From" address. They don't need your password. They don't need access to your account. Just your domain name.

        Step 2. They Send a Fake Email

        From a random server anywhere in the world, they send an email that looks exactly like it came from you — to your customers, employees, or vendors. It might say "Please wire payment to this new account" or "Click here to reset your password."

        🔍

        Step 3. The Receiving Server Checks Your DNS

        Gmail, Outlook, or whatever the recipient uses looks up three records on your domain — SPF, DKIM, and DMARC — to see if the email is really from you.

        Step 4. The Moment of Truth

        What happens next depends entirely on whether you have email protection set up.

        No Protection
        🚨

        The Fake Email Lands in the Inbox

        The recipient has no idea it's not really from you.

        • Customer wires money to the hacker's account
        • Employee clicks a malicious link and gives up their password
        • Vendor shares sensitive data with an attacker
        • Your company's reputation takes the hit
        Protected
        🛡

        The Fake Email is Blocked

        The receiving server sees the email is unauthorized and stops it.

        • Email is rejected or sent to spam
        • The recipient never sees it
        • You get a DMARC report showing the attempt
        • Your domain reputation stays clean
        💰

        Step 5. The Damage Is Done

        The victim thinks your company sent them a phishing email, a fake invoice, or a malware link. Even after they realize it's fake, the trust is broken — and your brand takes the blame for an attack you didn't even know happened.

        Check Your Domain Now →

        Email Security FAQ

        Everything you need to know about SPF, DKIM, DMARC, and protecting your domain.

        What is email impersonation (spoofing)?
        Email impersonation — also called email spoofing — is when a hacker sends an email that looks like it came from your company's domain. They can use your exact email address to trick your customers, vendors, or employees into clicking malicious links, wiring money, or sharing passwords. Three DNS records — SPF, DKIM, and DMARC — work together to prevent this.
        What is SPF and why does my domain need it?
        SPF (Sender Policy Framework) is a DNS TXT record that lists every server authorized to send email from your domain. When someone receives an email claiming to be from you, their mail server checks your SPF record. If the sending server isn't on the list, the email can be flagged or rejected. Without SPF, anyone in the world can send email as your domain.
        What is DKIM and why does my domain need it?
        DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server uses a public key published in your DNS to verify the signature. If the email was altered in transit — for example, an attacker changed invoice details — the signature check fails. DKIM proves your email is authentic and unmodified.
        What is DMARC and why does my domain need it?
        DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together with a policy. It tells receiving servers what to do when an email fails authentication: let it through (p=none), send it to spam (p=quarantine), or block it entirely (p=reject). Without DMARC, even if you have SPF and DKIM, receiving servers may still deliver fake emails. DMARC also sends you reports so you can see who is trying to send email as your domain.
        Do I need email security if I don't send email from my domain?
        Yes — this is one of the most common mistakes. Even if you never send a single email from a domain, hackers can still use it to impersonate you. If you own a domain but don't use it for email, add these DNS records:

        SPF: v=spf1 -all — no servers are authorized
        DMARC: v=DMARC1; p=reject — reject all unauthenticated email

        This locks down the domain completely so no one can send email as you.
        What do the letter grades (A through F) mean?
        Your score is out of 100 points, split across three areas: SPF (30 pts), DKIM (30 pts), and DMARC (40 pts). Click "How is this score calculated?" on your results to see the exact point breakdown.

        A (90–100): SPF, DKIM, and DMARC are properly configured with strong enforcement.
        B (70–89): Most protections in place but could be stronger.
        C (50–69): Some protections exist but significant gaps remain.
        D (30–49): Minimal protection — your domain is at serious risk.
        F (0–29): Little to no protection — hackers can easily send email as your company.
        How do I fix a missing or failing SPF record?
        Add a TXT record in your domain's DNS settings. Examples:

        Google Workspace: v=spf1 include:_spf.google.com ~all
        Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all

        Replace the include with your email provider's SPF domain. Use -all (hard fail) for strict enforcement or ~all (soft fail) while testing. You can only have one SPF record per domain.
        How do I fix a missing or failing DKIM record?
        DKIM setup depends on your email provider:

        Google Workspace: Admin → Apps → Google Workspace → Gmail → Authenticate email, then generate a DKIM key.
        Microsoft 365: Defender portal → Email authentication → DKIM.

        Your provider gives you a DNS record (usually a CNAME or TXT) to publish at selector._domainkey.yourdomain.com. Common selectors include "google", "selector1", "selector2", or "default".
        How do I fix a missing or weak DMARC record?
        Add a TXT record at _dmarc.yourdomain.com. Start with monitoring mode:

        v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

        This lets you see who is sending email as your domain without blocking anything. After reviewing reports for a few weeks, upgrade to p=quarantine (sends failures to spam) then p=reject (blocks failures entirely). Always include a rua= tag so you receive aggregate reports.
        How long do DNS changes take to work?
        DNS changes typically propagate within 15 minutes to 4 hours, though some records can take up to 48 hours. The speed depends on your DNS provider and the TTL (Time to Live) value on existing records. Re-run this test after making changes to verify they've taken effect. If changes aren't showing after a few hours, double-check that you added the record to the correct domain and that there are no typos.
        What is a DKIM selector and which one should I use?
        A DKIM selector is a label that identifies which DKIM key to use — a domain can have multiple keys (one per email service). Common selectors:

        Google Workspace: "google"
        Microsoft 365: "selector1", "selector2"
        Generic: "s1", "s2", "default"

        This tool automatically checks over 20 common selectors to find your DKIM record. If you know your selector, enter it in the optional field for a direct check.