Email Authentication Audit Checklist
Find out if your domain can be spoofed — and exactly what to fix first.
Phishing, business email compromise, and brand impersonation attacks all start the same way: an unprotected domain. Work through each control below and check it off if it's already in place. Your risk status updates live as you go.
Want an instant automated result?
SpoofCheck scans your domain's SPF and DMARC configuration automatically and gives you a risk score in seconds.
Run a free SpoofCheck scan →Section 1: SPF (Sender Policy Framework)
SPF tells receiving mail servers which IP addresses are authorised to send email from your domain. An absent or misconfigured SPF record is one of the most common causes of email spoofing.
Section 2: DMARC Policy
DMARC tells receiving servers what to do when an email fails SPF checks. Without a DMARC policy at quarantine or reject, your domain can be spoofed freely.
Section 3: DMARC Reporting
DMARC reporting provides visibility into who is sending email from your domain. Without active monitoring, you are blind to spoofing attempts and misconfigurations.
Section 4: Advanced & Supplementary Controls
These additional controls build on SPF and DMARC to further harden your email security posture and prevent abuse of lesser-known attack vectors.
Your email security status
Spoofable
0/14
controls confirmed
Critical authentication gaps exist. Your domain can be spoofed today — fix these immediately.
Check each control above that's already in place. Status updates live.
Risk Rating Guide
Critical
Your domain can be spoofed today.
Fix these immediately. A missing SPF record or p=none DMARC policy allows anyone to send emails appearing to come from your domain.
High
Significant exposure — fix within 30 days.
High-risk gaps reduce your authentication coverage or weaken enforcement. Track these as security findings.
Medium
Gaps that reduce your protection or visibility.
Medium risks don't create an immediate spoofing window but reduce the reliability of your controls. Address within 90 days.
Low
Supplementary controls that add depth.
Good to have, but not immediately exploitable if missing. Include in your next scheduled email security review.
Automate this checklist with SpoofCheck
SpoofCheck analyses your domain's SPF and DMARC configuration in seconds. Enter a domain and get a risk score, a breakdown of every authentication gap, and a prioritised list of fixes — no manual DNS lookups required.
Need help fixing your email authentication?
Atumcell's email security team can implement and harden your SPF and DMARC configuration — and help you reach p=reject without breaking deliverability.
Frequently asked questions
What is email authentication and why does it matter?
Email authentication is a set of technical controls — SPF and DMARC — that allow receiving mail servers to verify that an email was sent by an authorised source. Without authentication, anyone can send emails that appear to come from your domain, enabling phishing, business email compromise (BEC), and brand impersonation attacks.
What is the difference between SPF and DMARC?
SPF (Sender Policy Framework) specifies which mail servers are authorised to send email from your domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF by telling receiving servers what to do when authentication fails — and sends you reports on who is sending email from your domain.
How do I check if my domain can be spoofed?
You can check your domain's email authentication configuration instantly using SpoofCheck — Atumcell's free tool that analyses your SPF and DMARC setup and tells you exactly what's missing and what to fix. Alternatively, use the checklist on this page to audit each control manually.
What is p=none in DMARC and why is it a risk?
p=none is a DMARC monitoring-only mode. It tells receiving servers to take no action when authentication fails — it only sends reports to the domain owner. While useful as a first step to understand your sending environment, p=none provides zero protection against spoofing. You must move to p=quarantine or p=reject to actually stop spoofed emails from reaching inboxes.
Will fixing DMARC break my email?
If all your legitimate email senders are correctly listed in your SPF record, moving to p=quarantine or p=reject will not break your email. The risk of breakage comes from undocumented sending sources — services sending email from your domain that aren't listed in SPF. Start with p=none to collect aggregate reports, identify all sending sources, fix any missing configurations, then move to p=quarantine and finally p=reject.