Is Your Business Domain Protecting You — or Exposing You?
Enter your domain below and find out in seconds whether attackers can send emails pretending to be your business, whether your emails are landing in spam, and what's missing from your email security setup.
Your Domain Is Either Protecting Your Business — or Leaving It Wide Open
Most Indiana business owners assume that because they have a business email address — [email protected] — their email is secure. The reality is that having a domain name doesn't automatically protect it. Without proper configuration, anyone in the world can send an email that looks like it came from your business domain.
This is called email spoofing, and it's the foundation of the majority of business email compromise (BEC) attacks. An attacker sends an email to your employee, client, or vendor — appearing to come from your address — asking them to wire money, share credentials, or click a malicious link. The recipient trusts it because it looks like it's from you.
Three email authentication records — SPF, DKIM, and DMARC — are the technical defenses that prevent this. Together they verify that emails claiming to come from your domain actually did. Without all three properly configured, your domain is exposed — and most Indiana businesses have gaps in at least one of them.
Real-world example: A vendor receives an email from [email protected] asking for a wire transfer to a new bank account. It looks authentic — right name, right signature. But it was sent by an attacker who spoofed the domain. Without DMARC enforcement, that email reaches the inbox every time. With proper DMARC, it's rejected before anyone ever sees it.
Your Domain Can Be Spoofed
Without DMARC enforcement, attackers can send emails that appear to come from your exact domain to anyone — employees, clients, vendors — with no technical barrier.
Your Emails May Be Landing in Spam
Missing or misconfigured SPF and DKIM cause legitimate emails to be flagged as suspicious by Gmail, Outlook, and other providers — landing in spam instead of inboxes.
Business Email Compromise Is Growing
BEC attacks cost businesses billions annually. The attack doesn't require malware — just a spoofed email that looks legitimate. DMARC stops the spoofed email from ever being delivered.
Google & Yahoo Now Require These Records
Since February 2024, Google and Yahoo require SPF, DKIM, and DMARC for bulk senders. Businesses without proper records face increasing deliverability problems.
Your Domain Reputation Is a Business Asset
Years of sending email builds a deliverability reputation. A single spoofing attack or blacklisting event can damage that reputation and affect deliverability for months.
What Is SPF — and Why Does Your Business Need It?
SPF stands for Sender Policy Framework. It's a DNS record that tells the world which email servers are authorized to send email on behalf of your domain. Think of it like a guest list for your email.
When someone receives an email claiming to come from [email protected], their email server checks your SPF record: "Is this email coming from a server that's authorized to send for this domain?" If yes, the email passes. If no — if the email is coming from an unauthorized server — the receiving server knows something is wrong.
Without an SPF record, receiving servers can't verify whether emails from your domain are legitimate. This makes your domain significantly easier to spoof, and many providers will mark your legitimate emails as suspicious because they can't confirm they came from an authorized source.
SPF alone isn't enough — it works best when combined with DKIM and DMARC — but it's the essential first layer of your email authentication stack.
How SPF Works — Step by Step
Your business sends an email
An email is sent from your Microsoft 365 or Google Workspace account claiming to be from [email protected].
Recipient server checks your SPF record
The receiving server looks up your domain's SPF record in DNS to see which servers are authorized to send email for you.
It compares the sending server's IP
The server compares the IP address of the server that sent the email against the list in your SPF record.
Pass or Fail decision
If the sending server is on your authorized list, SPF passes. If not, SPF fails — signaling a potential spoofing attempt.
✓ SPF Pass: Email is from an authorized server. Proceeds to DKIM and DMARC checks.
⚠ SPF Fail: Email is from an unauthorized server. Receiving server may reject or flag as suspicious.
What Is DKIM — the Digital Signature on Your Emails?
DKIM: A Digital Wax Seal on Every Email
Think of DKIM like a wax seal on a medieval letter. When you send a letter, you press your unique seal into wax to prove it came from you. If someone intercepts and tampers with the letter, the seal breaks. The recipient can verify the seal matches yours and hasn't been broken.
DKIM does the same for email — using cryptographic key pairs instead of wax seals. Every outgoing email gets a unique digital signature. If the email is tampered with in transit, the signature fails.
🔒 Private Key
Stored securely on your email server. Used to sign every outgoing email. Never shared publicly.
🔓 Public Key
Published in your domain's DNS. Anyone can use it to verify your email signature. Accessible to all.
DKIM stands for DomainKeys Identified Mail. It adds a cryptographic digital signature to every outgoing email from your domain. This signature proves two things: (1) the email was actually sent from your domain, and (2) the content wasn't altered between when you sent it and when it was received.
Unlike SPF, which verifies the sending server, DKIM verifies the email's content and origin together. This is a critical second layer of protection — especially important because SPF can fail in legitimate scenarios like email forwarding, where DKIM continues to work correctly.
Most modern email platforms (Microsoft 365, Google Workspace) support DKIM natively, but it must be properly configured for your domain. Many Indiana businesses have email platforms that could sign emails but haven't had DKIM properly enabled and verified — leaving a gap in their protection.
What Is DMARC — and Why Is It the Most Important Layer?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's the third and most powerful layer — the one that actually enforces the rules set by SPF and DKIM.
Without DMARC, even a failed SPF or DKIM check might still result in the email being delivered. DMARC gives you control over what happens to those failed emails — and reports on who is using your domain to send email, both legitimate sources and unauthorized ones.
No Enforcement
Failed emails are still delivered. DMARC only collects reports. Good for initial monitoring, but provides no protection. Most businesses need to advance quickly.
Failed Emails Go to Spam
Emails failing authentication go to the recipient's spam folder. Provides partial protection — spoofed emails are less likely to be seen but still arrive.
Failed Emails Rejected Entirely
Emails failing authentication are rejected outright before reaching the recipient. This is full DMARC enforcement — the goal for every Indiana business.
📊 DMARC Reporting
When DMARC is configured with reporting, you receive aggregate reports from major email providers showing exactly who is sending email using your domain — your own servers, authorized services, and anyone attempting to spoof you.
🔗 Alignment: Where DMARC Gets Powerful
DMARC checks "alignment" — ensuring the domain in your visible "From" header matches the domain verified by SPF or DKIM. This prevents sophisticated spoofing attacks that pass SPF alone.
📄 Google & Yahoo's 2024 Mandate
Since February 2024, Google and Yahoo require DMARC for bulk senders. Even businesses sending lower volume face stricter deliverability enforcement. DMARC is no longer optional for businesses that rely on email.
☛ All Three Work Together
SPF verifies the sending server. DKIM verifies the email's content integrity. DMARC enforces the rules and reports on violations. All three are required for complete protection — which is exactly what the checker below assesses.
Your Score Shows Where You Stand. Ma3SP Fixes What's Missing.
Most Indiana businesses we check have at least one gap — and many have all three missing or misconfigured. The good news: every one of these issues is fixable. SPF, DKIM, and DMARC are DNS record changes. Once properly configured and tested, they protect your domain continuously with no ongoing action required from your team.
Here's exactly what Ma3SP does when gaps are found. These aren't recommendations in a report you figure out yourself — we implement everything:
SPF Missing or Misconfigured
We write a correct SPF record listing all your authorized email sending sources and publish it to your DNS. We test it and verify it passes for every sending platform your business uses.
DKIM Not Enabled or Invalid
We enable DKIM signing in your email platform (Microsoft 365 or Google Workspace) and publish the public key to your DNS. We verify the signature is valid before sign-off.
DMARC Missing or at p=none
We create your DMARC record with reporting configured, start at p=none to gather data, then advance to p=quarantine and p=reject as your sending sources are verified — safely, without breaking legitimate email.
Ongoing Monitoring Included
Once records are in place and enforced, we include email authentication monitoring in managed IT support — so you're alerted to new spoofing attempts or configuration drift before they cause problems.
Found Issues? We Fix All of This.
Whether your domain came back with a high-risk score or you simply want an expert to verify your configuration is correct — Ma3SP configures and manages email authentication for Indiana businesses as part of both standalone cybersecurity services and managed IT support.
The free IT checkup covers your email security as one of its 12 review areas — giving you a complete picture alongside your other security gaps, not just email in isolation.
We Don't Just Tell You What's Wrong. We Fix It.
Most tools give you a score and a list of technical jargon to figure out yourself. Ma3SP explains what it means in plain English and implements every fix.
Plain Language Always.
SPF, DKIM, and DMARC are technical — but we explain what's wrong and why it matters in a way your whole team can understand. No acronym soup, no IT degree required.
We Implement. Not Just Advise.
Unlike tools that hand you a report and leave you to figure it out, Ma3SP makes the actual DNS changes, verifies them, and monitors them ongoing. Your gaps get closed, not just documented.
Part of a Complete Security Picture.
Email authentication is one of 8 security layers Ma3SP implements. Fixing DMARC without addressing endpoint security, MFA, or backup is like locking one door while leaving others open.
Ongoing Monitoring Included.
DMARC reports show who is sending email using your domain — both authorized sources and spoofing attempts. We include email authentication monitoring in our managed IT support plans.
One Person Accountable.
You work with Graham Pearson directly — not a vendor support queue. He configures your email security, tests it, monitors it, and answers the phone when something needs adjusting.
Local to Indiana.
Based in Goshen, serving businesses across northern Indiana. When you call about your domain results, you're talking to someone who understands Indiana businesses — not a national call center.
The Most Common Email Security Gaps in Indiana Small Businesses
These are the issues Ma3SP finds most frequently when reviewing email security for Indiana businesses — and what each gap means for your domain's protection.
SPF No SPF Record at All
The most basic gap — the domain has no SPF record. Any server in the world can send email claiming to be from this domain with no technical barrier.
SPF SPF Record Exceeds DNS Lookup Limit
SPF records are limited to 10 DNS lookups. Businesses using multiple email platforms often exceed this limit, causing SPF to return a "permerror" and fail — even for legitimate emails.
DKIM DKIM Not Enabled on Email Platform
Microsoft 365 and Google Workspace support DKIM but it must be explicitly enabled. Many businesses use these platforms for years without ever enabling DKIM, leaving all outgoing emails unsigned.
DKIM Expired or Invalid DKIM Keys
DKIM keys become invalid when changing email platforms or rotating keys without updating DNS. Old keys cause DKIM failures even when DKIM appears to be enabled.
DMARC No DMARC Record — Domain Can Be Freely Spoofed
The most dangerous gap. Without DMARC, there is zero enforcement on emails that fail SPF or DKIM. Spoofed emails can reach any inbox. This is the situation most Indiana businesses are currently in.
DMARC DMARC Stuck at p=none — No Enforcement
Many businesses have a DMARC record but left it at p=none — monitor-only mode. Spoofed emails are still delivered. The business receives reports but has no actual enforcement protecting anyone.
All Legitimate Emails Going to Spam
When SPF fails, DKIM is missing, or DMARC isn't configured, many providers flag legitimate emails as suspicious and route them to spam — directly impacting client communication and invoice delivery.
DMARC Missing rua= Reporting Tag
Without the rua= tag in your DMARC record, you receive no aggregate reports. You're blind to who is sending email using your domain. You won't know your domain is being spoofed until damage is done.
Indiana Businesses That Trust Ma3SP with Their Email Security
"MA3SP has a deep knowledge in the tech world and extensive educational background that sets them apart. Their cybersecurity solutions keep our data safe and their proactive approach has minimized downtime."
"Ma3SP exceeded our expectations with their personalized support and proactive monitoring. Their cybersecurity solutions keep our data safe, and their backup and recovery plans ensure we never lose critical information."
"I am very thankful for Graham and Ma3SP. Graham is focused on making sure we are utilizing our systems fully and finding ways to save money, time, and resources for our business."
Email Security Questions Indiana Business Owners Ask
Yes — and it's easier than most business owners realize. Without DMARC enforcement on your domain, any person anywhere in the world can send an email that appears to come from your exact email address. Their email client might show "From: [email protected]" with no visible indication it wasn't sent from your account. This is called email spoofing and it's the foundation of business email compromise (BEC) attacks. DMARC with p=reject policy tells receiving servers to reject those spoofed emails before they ever reach anyone's inbox.
The most common technical causes of legitimate emails landing in spam are: missing or misconfigured SPF record (the receiving server can't verify your sending source is authorized), missing DKIM signature (the email isn't cryptographically verified), or missing/unenforced DMARC record (no policy tells providers what to do with suspicious emails). The domain checker above will identify which of these apply to your domain. Ma3SP fixes each one as part of our cybersecurity and managed IT services.
SPF verifies that your email is coming from an authorized sending server — it's a list of servers allowed to send on your behalf. DKIM adds a cryptographic digital signature to every outgoing email, proving it came from your domain and wasn't altered in transit. DMARC ties SPF and DKIM together — it tells receiving servers what to do when emails fail those checks (allow, quarantine, or reject) and sends you reports about who is using your domain to send email. All three work together; none of them alone is sufficient for complete protection.
Partially. Both platforms provide default SPF records and default DKIM signing, but "default" is not the same as "correctly configured for your domain." Microsoft 365 requires you to manually enable custom DKIM signing for your domain in the Defender portal and add DKIM CNAME records to your DNS — this is not done automatically. DMARC must be created and published by you regardless of which platform you use. Additionally, if you use any third-party tools to send email (marketing automation, CRM, invoicing software), each one needs to be added to your SPF record and may need its own DKIM configuration.
Not if done correctly — and this is why the implementation process matters. The safe approach starts with DMARC at p=none (monitor only) while collecting aggregate reports showing every source sending email using your domain. Once all legitimate sources are identified and verified, we advance to p=quarantine and then p=reject. Jumping straight to p=reject without first mapping your email ecosystem can interrupt legitimate email delivery. Ma3SP manages this process carefully to ensure no legitimate email is affected.
For most Indiana businesses, creating and publishing SPF, DKIM, and DMARC records can be completed within one business day once we've assessed your email environment. DNS propagation typically takes a few hours after the records are published. The longer process is advancing DMARC from p=none to p=reject enforcement, which involves reviewing aggregate reports over several weeks to ensure all legitimate sending sources are captured. Book the free IT checkup and we'll assess your specific situation and give you a clear timeline.
Once SPF, DKIM, and DMARC are properly configured and enforced, the records themselves are stable. However, your email environment changes over time — you add a new marketing tool, change email platforms, or a third-party service needs to be added to your SPF record. Any of these changes can break authentication. Ma3SP includes DMARC report monitoring in managed IT support, which catches configuration drift and new spoofing attempts continuously rather than relying on periodic manual checks.
DMARC specifically protects your domain from being used to spoof others — it prevents attackers from sending email appearing to come from yourcompany.com to your clients, vendors, and partners. It does not protect your employees from receiving phishing emails sent from other domains impersonating someone else. Protecting your team from incoming phishing requires email filtering, anti-phishing tools, and security awareness training — all of which are part of Ma3SP's cybersecurity services. Email authentication and inbound email security are complementary layers that work together.
The rua= tag in your DMARC record specifies where aggregate reports should be sent. These reports come from major email providers (Gmail, Outlook, Yahoo, etc.) and show exactly who is sending email using your domain — your authorized sources, unauthorized attempts, and anything failing authentication. Without a rua= tag, you receive no reports and are completely blind to spoofing attempts until after damage is done. Ma3SP configures DMARC reporting and reviews aggregate reports as part of ongoing email security monitoring.
Yes, completely free and no account is required. The checker queries publicly available DNS records for your domain using standard DNS lookup protocols. Anyone can run a domain check — your business, your clients, your vendors, or anyone evaluating whether a domain is properly protected. The plain-language interpretation of your results is provided by Ma3SP as a free educational resource for Indiana businesses. If your results show gaps, the follow-up consultation with Ma3SP is also free.
Saw Something Concerning in Your Results?
Ma3SP Fixes It — Fast.
Whether your domain came back with a high-risk score, a warning, or you want an expert to verify your green score is genuinely solid — Ma3SP configures and manages email authentication for Indiana businesses as part of both cybersecurity services and managed IT support. The free IT checkup covers email security as one of 12 review areas.
Mon–Fri 8:00AM–6:00PM | Sat 8:00AM–2:00PM | [email protected]