Email spoofing is the practice of forging the sender address of an email to make it appear to come from a trusted source. It is the primary vector for phishing, business email compromise (BEC), and social engineering attacks. Three DNS records protect against spoofing: SPF (Sender Policy Framework) lists authorized sending servers, DKIM (DomainKeys Identified Mail) adds a cryptographic signature, and DMARC defines the policy for handling emails that fail SPF or DKIM.

InfraHub's analyzer queries these records for any domain and explains exactly what they mean and whether they provide adequate protection.

The tool performs DNS TXT record lookups for SPF (v=spf1 records), DMARC (_dmarc subdomain TXT records), and DKIM (selector-based TXT lookups). SPF records are parsed to identify authorized IP ranges and sending domains. DMARC records are parsed to extract the policy directive (none, quarantine, reject) and reporting addresses. Results are presented with a risk assessment and specific remediation recommendations.

Security engineers audit email security posture for their organization's domains. IT administrators verify that email security records are correctly configured after migrating to a new email provider. Bug bounty hunters assess the email security of target domains as part of reconnaissance. Domain owners who received phishing complaints investigate why spoofed emails are reaching inboxes despite having SPF records.