A lot of phishing works because organizations assume their email domain is better protected than it really is.
This tool checks public email trust signals like `SPF`, `DMARC`, common `DKIM` selectors, and mail routing clues
to show how exposed a domain may be to spoofing and impersonation.
What This Checks
The results focus on public DNS and mail trust signals that influence how well your domain resists spoofing.
It does not prove every mail path is secure, but it does show whether the basic controls are strong, weak, or missing.
SPFWhether your domain defines allowed outbound senders.
DMARCWhether your domain has a real enforcement policy or just monitoring.
DKIMBest-effort checks for common selectors used by major platforms.
Mail routingMX and provider hints that help explain the result in context.
Why it matters
Weak mail authentication can make domain impersonation easier, especially during phishing or business email compromise attempts.
What strong looks like
Good posture usually means a valid SPF record, DKIM signing on active platforms, and DMARC moved beyond monitor-only mode.
What weak looks like
No DMARC, a `p=none` policy, broken SPF, or missing DKIM on major senders usually leaves more room for abuse.
One caution
DKIM discovery is best-effort here. Selectors cannot always be enumerated publicly, so the tool explains that uncertainty instead of overclaiming.
What The Result Means
A stronger grade means your public email controls are doing a better job making spoofing and impersonation harder.
A weaker grade means attackers may have an easier time imitating your domain or benefiting from weak enforcement.
Lower exposureBetter-enforced controls make impersonation harder and reduce easy abuse paths.
Moderate exposureSome controls are present, but gaps or weak policies still leave room for spoofing.
High exposureMissing or weak controls can make phishing, domain impersonation, and sender confusion more likely.
Useful contextThe result should help explain what to fix first, not just assign a grade.
Quick Readout
The most important public findings from the current domain check will appear here.
No domain checked yet
Run a check to populate the summary.
Waiting
Live Domain Findings
This report is based on public DNS and mail records. It is useful for spotting obvious gaps, weak policies, and domain-spoofing exposure.
Check
Result
Status
Risk
No results yet. Enter a domain above.
Recommended Next Steps
Recommendations
Run a check to see tailored guidance for the domain.
What Not To Assume
Using Microsoft 365 or Google Workspace does not automatically mean your domain is fully hardened.
Having a DMARC record is not the same as enforcing a strong DMARC policy.
A provider can sign with DKIM while other sending platforms still remain misconfigured.
This check helps surface public gaps, but it is not a replacement for a full mail-flow review.
Why Accuracy Matters
DKIM is harder to discover comprehensively because selectors cannot be listed automatically in a standard way.
SPF may exist but still be too broad, too complex, or broken by lookup limits.
DMARC may be present but still too weak if it only monitors and does not enforce.
MX records help identify providers, but they do not guarantee the rest of the domain is configured safely.
Want a deeper email security review?
This tool checks the public surface. A deeper NEXETTE review can go further into mail flow, spoofing exposure,
third-party senders, phishing resistance, and email security policy gaps across the organization.
