Domain-security radar

The domains anyone can forge email from

Around 84% of domains have no enforcing DMARC — the DNS record that tells the world “reject email that isn’t really from me.” Without it (or with the monitor-only p=none), anyone can send email that looks exactly like it came from the domain: phishing its customers, invoicing its finance team, impersonating its brand. We measure this passively over public DNS — no mail sent, nothing connected to.

Check your domain — free →How it works

What the radar is seeing

85
Domains checked
65
Can be spoofed (no / monitor-only DMARC)
76%
…that's this share of all checked
13
Fully protected (DMARC p=reject)

Why this matters

SPF and DKIM aren’t enough on their own — only an enforcing DMARC policy stops someone forging the visible From: address your recipients actually see:

  • Business Email Compromise & invoice fraud — attackers email your finance team or customers as you, and the messages land in the inbox.
  • Phishing that passes every visual check — the sender domain is genuinely yours; there’s nothing for a user to spot.
  • Even domains that send no email are at risk — a parked or product domain with no DMARC can still be impersonated.

The fix is free and DNS-only: publish a DMARC record and move it to p=reject.

By TLD — where it's worst

  • .com19 spoofable of 26 (73%)
  • .app17 spoofable of 17 (100%)
  • .net6 spoofable of 9 (67%)
  • .de4 spoofable of 4 (100%)
  • .dev3 spoofable of 4 (75%)
  • .io1 spoofable of 3 (33%)

Are you exposed?

Check whether your domain can be spoofed — a free, passive look at your SPF/DMARC posture and the rest of your internet-facing surface, no signup.

Check your exposure →

How it works

How do you check this without sending email?

Purely from public DNS. We resolve the domain’s TXT record for SPF, its _dmarc TXT record for DMARC, and its MX records — the same lookups any mail server makes. We never send mail, connect to anything, or log in.

When do you call a domain “spoofable”?

When there is no DMARC record, or DMARC is set to p=none (monitor-only, no enforcement). Those are the cases where forged mail is actually delivered. p=quarantine we count as partial; p=reject as fully protected.

Why don't you list the spoofable domains?

Publishing them would be a ready-made target list for phishers. We keep domain names private for responsible disclosure to the owners and publish only aggregate counts. Use the scanner above to check your own domain.

Aggregates only. Passive, read-only DNS resolution; no mail sent; domain names withheld; affected owners notified via responsible disclosure — see our full Responsible Disclosure & Data Handling policy.Updated Sun, 21 Jun 2026 04:41:36 GMT.
Seeing this scanner in your logs? It's us. Every genuine EchelonGraph request announces itself — like Googlebot — with the User-Agent EchelonGraph-<Radar>/1.0 (+echelongraph.io/responsible-disclosure; security@echelongraph.io) and a From: security@echelongraph.io header. It is a single, passive, read-only check — we never log in, exploit, write, or read your data. Who we are, how we confirm exposures read-only, and how to opt out → Genuine requests also carry a signed receipt you can validate at /verify-scan.