Is Your Email Setup
Actually Secure?
Stop guessing. Get a clear, jargon-free report on your domain's SPF, DKIM, and DMARC configuration.
🤔 Is This Actually a Vulnerability?
Tired of "security researchers" emailing you about your DMARC settings? Here's the truth.
"Your DMARC is set to none" - Is this a vulnerability?
Not really. DMARC p=none means you're monitoring email authentication without enforcing it. This is the recommended starting point! It lets you collect reports and see what's happening before you start blocking emails. Many legitimate companies run in monitoring mode for months or years. It's only a problem if you never plan to upgrade to quarantine or reject.
"Your SPF uses ~all instead of -all" - Should I panic?
No. The difference between ~all (softfail) and -all (hardfail) is minimal in practice. Most email providers treat softfail almost the same as hardfail. Using ~all is actually safer during setup because it won't cause legitimate emails to be rejected if you forgot to include a sending source. Many security-conscious companies use ~all permanently.
Someone emailed saying my domain is "vulnerable" - is it real?
Probably not. A cottage industry exists of people who run automated scanners and email companies about "critical vulnerabilities" hoping for bug bounties or consulting fees. If someone tells you DMARC=none or SPF softfail is a "critical vulnerability", they're exaggerating. These are configuration choices, not security holes. A real vulnerability would let someone access your systems — email authentication records don't do that.
What's the minimum I need for email security?
At minimum: an SPF record listing your email providers, and ideally DMARC in monitoring mode. If you're using Google Workspace, Microsoft 365, or similar, they handle DKIM automatically. Start with monitoring, check the reports, and tighten the policy over time.
My score is B or C - is that bad?
A B or C score means you have the basics in place but haven't locked everything down. For most small businesses, this is fine! Focus on getting to B (SPF + DMARC monitoring). Moving to A requires strict policies that can cause legitimate email delivery issues if misconfigured. Don't chase a perfect score if it means breaking your email.
Should I pay for email security monitoring?
For most small companies: no. Free DMARC aggregate reports (sent to the email you specify in your DMARC record) are usually enough. Paid services are useful if you send millions of emails and need detailed forensics, or if you don't have time to read XML reports. But you can start for free and upgrade later if needed.
Need Unlimited Scans?
Upgrade to Pro for unlimited scans, historical reports, and priority support.