SPF · DKIM · DMARC
Check a domain's email authentication
See whether a domain has SPF, DKIM, and DMARC set up — the DNS records that stop scammers from spoofing email from that domain — and get an overall grade. We also check DNSSEC, CAA, and MTA-STS.
Email authentication
cactus.net
How well this domain is protected against email spoofing.
Auth grade
- At least one DKIM signing key was found.
SPF
Sender Policy Framework
- Policy
- Strict — unauthorized senders are rejected (-all)
v=spf1 include:spf.protection.outlook.com -all
DMARC
DMARC policy
- Policy
- Reject — spoofed mail is blocked (strongest)
- Aggregate reporting (rua)
- Present
v=DMARC1; p=reject; rua=mailto:info@cactus.net
DKIM
DomainKeys Identified Mail
- Selectors found
- selector1, selector2
DKIM keys are published under a selector name that can't be discovered from DNS, so Cactus probes only common selectors. "Not detected" does not necessarily mean DKIM is absent.
Extra
Extra DNS hygiene
These don't change the email grade above, but they're good signs of a carefully secured domain.
-
DNSSEC Missing
Not detected. DNSSEC signs DNS records so they can't be forged in transit. Many domains still don't use it.
-
CAA records Missing
Not found. CAA records restrict which certificate authorities can issue certificates for your domain — a useful safeguard.
-
MTA-STS Missing
Not detected. MTA-STS forces inbound email to use encryption, blocking downgrade attacks. (We check the DNS record only, not the policy file.)
-
TLS reporting (TLS-RPT) Missing
Not found. TLS-RPT collects reports about failed encrypted email delivery — useful alongside MTA-STS.
This reflects the domain's published DNS policy right now. A strong policy makes spoofing harder but does not guarantee every message is legitimate, and DKIM is detected only for common selectors.
Frequently asked questions
What are SPF, DKIM, and DMARC?
They're DNS records that prove an email really came from a domain and stop spammers from spoofing it. DMARC ties SPF and DKIM together and tells receivers what to do with fakes.
How do I check if my domain can be spoofed?
Enter your domain here. We look up its SPF, DKIM, and DMARC records and explain whether they protect against impersonation.
What are DNSSEC, CAA, and MTA-STS?
Extra DNS protections. DNSSEC cryptographically signs a domain's DNS so answers can't be forged; CAA limits which authorities may issue its TLS certificates; MTA-STS forces inbound email to use encryption. We report whether each is published.