Introduction
You receive an angry email from a stranger claiming you sent them spam. Or worse—your friends report getting phishing emails from your address. These are clear signs your email might be compromised or spoofed. But how can you tell for sure? And what can you do to protect yourself? This comprehensive guide explains exactly how to check if your email has been hacked, what SPF, DMARC, and DKIM records mean, and how these technical safeguards protect you from email spoofing and phishing attacks. We'll also show you how to use free tools to verify your email security in under 60 seconds. (Don't overlook password security—learn about common password mistakes that often lead to email compromise.)
Signs Your Email Might Be Hacked or Spoofed
Recognize the warning signs before serious damage occurs.
Direct Evidence of Compromise
You should investigate immediately if:
• Sent folder contains emails you didn't send
• Password reset emails for accounts you didn't request
• Friends receive spam emails from your address
• Bounce-back messages for emails you never sent
• Unusual login alerts from unknown locations
• Account locked due to suspicious activity
• Two-factor authentication codes you didn't request
These indicate someone has actual access to your account—change your password immediately.
Email Spoofing (Different from Hacking)
Spoofing signs:
• People receive emails that appear to be from you, but they're not in your sent folder
• The "from" address looks like yours but has subtle differences
• Your domain is being used to send spam, but your account still works normally
Key difference:
• Hacking = Someone logs into your actual account
• Spoofing = Someone forges the "from" address to impersonate you
Spoofing is more common and easier to do, but proper email authentication (SPF/DMARC/DKIM) prevents it.
What Are SPF, DMARC, and DKIM? (Simple Explanation)
These are security measures that prove emails are legitimate.
SPF (Sender Policy Framework)
What it does:
SPF is a list of mail servers authorized to send email from your domain.
How it works:
1. Your domain publishes an SPF record: "Only these servers can send email for @example.com"
2. When email arrives, receiving servers check: "Did this come from an approved server?"
3. If yes → delivered. If no → flagged as spam or rejected.
Example SPF record:
"v=spf1 include:_spf.google.com ~all"
This says "only Google's servers can send email for my domain."
Why it matters:
Without SPF, anyone can claim to send email from your domain—making spoofing trivial.
DKIM (DomainKeys Identified Mail)
What it does:
DKIM adds a digital signature to emails proving they haven't been tampered with.
How it works:
1. Your email server "signs" outgoing messages with a private key
2. Your domain publishes the matching public key in DNS
3. Receiving servers verify the signature matches
4. If signature is valid → email is authentic and unmodified
Why it matters:
• Proves email actually came from your domain
• Detects if message was altered in transit
• Builds sender reputation
DKIM signature looks like:
A header in the email containing encrypted verification data.
DMARC (Domain-based Message Authentication)
What it does:
DMARC tells receiving servers what to do when SPF or DKIM fail.
How it works:
1. Your domain publishes a DMARC policy: "If SPF/DKIM fail, quarantine or reject the email"
2. Receiving servers follow your instructions
3. You get reports about failed authentication attempts
DMARC policies:
• None: Monitor only (don't block anything)
• Quarantine: Send suspicious emails to spam folder
• Reject: Block suspicious emails completely
Why it matters:
DMARC is the enforcement mechanism—SPF and DKIM check authenticity, but DMARC says "here's what to do about fakes."
Example DMARC record:
"v=DMARC1; p=reject; rua=mailto:admin@example.com"
This says "reject emails that fail SPF/DKIM, and send me reports."
How to Check Your Email Authentication Records
Verify your domain's email security configuration in seconds.
Using Our Free SPF/DMARC/DKIM Checker
1. Visit our SPF/DMARC/DKIM Checker
2. Enter your email domain (e.g., example.com)
3. Click "Check Records"
4. Review results:
• SPF: Shows authorized mail servers
• DMARC: Shows policy (none/quarantine/reject)
• DKIM: Shows if DKIM is configured
• Status: Pass/Fail for each record
What good results look like:
âś“ SPF record found with valid syntax
âś“ DMARC policy set to "quarantine" or "reject"
âś“ DKIM selector configured
Red flags:
âś— No SPF record found
âś— No DMARC policy (or set to "none")
âś— Invalid syntax in records
âś— Overly permissive SPF (too many allowed servers)
Understanding Your Results
If all three pass:
Your email is well-protected against spoofing. Legitimate emails from your domain will be trusted; fake ones will be blocked.
If SPF is missing:
Anyone can spoof your email address easily. Set up SPF immediately through your domain registrar or email provider.
If DMARC is missing or set to "none":
Even if SPF/DKIM exist, there's no enforcement—receiving servers might still accept spoofed emails. Upgrade to "quarantine" or "reject."
If DKIM is missing:
Your emails can't be verified as authentic, reducing deliverability and making spoofing easier.
How to Set Up SPF, DMARC, and DKIM
Protect your email domain with proper authentication.
Step 1: Set Up SPF
For Gmail/Google Workspace:
1. Log into your domain registrar (GoDaddy, Namecheap, etc.)
2. Go to DNS settings
3. Add TXT record:
• Host: @ (or your domain)
• Value: v=spf1 include:_spf.google.com ~all
4. Save changes (takes 1-48 hours to propagate)
For Microsoft 365/Outlook:
1. Log into your domain registrar (GoDaddy, Namecheap, etc.)
2. Go to DNS settings
3. Add TXT record:
• Host: @ (or your domain)
• Value: v=spf1 include:spf.protection.outlook.com ~all
4. Save changes (takes 1-48 hours to propagate)
For custom mail servers:
Consult your email provider for the correct SPF record.
Important: Only one SPF record per domain. If you use multiple services, combine them:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Step 2: Set Up DKIM
For Gmail/Google Workspace:
1. Admin Console → Apps → Google Workspace → Gmail
2. Click "Authenticate email"
3. Generate DKIM key
4. Copy the DNS record provided
5. Add TXT record to your domain's DNS
6. Wait for propagation, then click "Start Authentication"
For Microsoft 365/Outlook:
1. Go to Microsoft 365 Defender portal (security.microsoft.com)
2. Navigate to Email & Collaboration → Policies & Rules → Threat Policies
3. Click DKIM
4. Select your domain
5. Copy the two CNAME records provided
6. Add both CNAME records to your domain's DNS
7. Wait for propagation (24-48 hours), then enable DKIM signing
Note: DKIM is automatic for *.onmicrosoft.com domains. Custom domains require DNS setup.
Verification:
Send test email to yourself and check headers for "DKIM-Signature" field.
Step 3: Set Up DMARC
Create DMARC record:
1. Go to DNS settings
2. Add TXT record:
• Host: _dmarc (or _dmarc.yourdomain.com)
• Value: v=DMARC1; p=quarantine; rua=mailto:your-email@domain.com
DMARC policy levels:
• Start with p=none (monitor only) for 2-4 weeks
• Review reports to ensure legitimate mail passes
• Upgrade to p=quarantine (spam folder for failures)
• Finally move to p=reject (block completely) for maximum protection
Example progressive DMARC:
Week 1-4: v=DMARC1; p=none; rua=mailto:reports@domain.com
Week 5-8: v=DMARC1; p=quarantine; rua=mailto:reports@domain.com
Week 9+: v=DMARC1; p=reject; rua=mailto:reports@domain.com
This gradual approach prevents accidentally blocking legitimate emails.
What to Do If Your Email Is Actually Hacked
Immediate steps to secure your compromised account.
Emergency Response (Do This Now)
Within 5 minutes:
1. Change password immediately to strong unique password
2. Enable two-factor authentication (2FA)
3. Check "connected apps" and revoke suspicious access
4. Review forwarding rules (hackers often add auto-forwarding)
5. Check filters (auto-delete security alerts)
6. Review sent folder and delete spam
Within 1 hour:
7. Notify contacts that your email was compromised
8. Check for password reset emails to other accounts
9. Change passwords on accounts using the same password
10. Scan computer for malware (keyloggers)
11. Check haveibeenpwned.com for breaches
Within 24 hours:
12. Monitor bank/credit card statements
13. Check credit report for fraud
14. Set up account alerts
15. Consider changing email address if severely compromised
Prevent Future Hacks
Essential security measures:
• Use unique strong passwords (16+ characters)
• Enable 2FA on all important accounts
• Don't click links in unexpected emails
• Use password manager
• Keep software updated
• Don't use public WiFi for sensitive accounts
• Set up SPF/DMARC/DKIM to prevent spoofing
Verify with our tools:
• Email Validator - Check if email addresses are valid
• Email Auth Checker - Verify SPF/DMARC/DKIM setup
Business Email Compromise (BEC) Protection
Special considerations for business domains.
Why BEC Is So Dangerous
Business Email Compromise statistics:
• $1.8 billion lost to BEC scams in 2023
• 98% of employees can't identify sophisticated phishing
• Average BEC attack steals $75,000
• CEO email spoofing is most common tactic
Common BEC scenarios:
1. Fake invoice from "vendor" with new bank details
2. CEO asks employee to urgently wire money
3. HR receives "employee" request to change direct deposit
4. Accountant gets "urgent payment" request from executive
All rely on email spoofing—proper authentication prevents these.
Enterprise Email Protection
Required for business domains:
1. Strict DMARC policy (p=reject)
2. DKIM signing for all outgoing mail
3. SPF records covering all sending sources
4. Regular authentication audits
5. Employee phishing training
6. Email filtering (spam/malware)
7. Advanced threat protection
Additional measures:
• Display name spoofing detection
• External email warnings
• Link/attachment sandboxing
• Suspicious login alerts
• Privileged account monitoring
Key Takeaways
Email security isn't optional anymore—with phishing attacks increasing 500% in recent years, proper authentication is your first line of defense. SPF, DMARC, and DKIM work together to ensure emails claiming to be from your domain are actually legitimate, protecting both you and your recipients from spoofing and fraud. Whether you're an individual user or managing a business domain, setting up these protections takes less than an hour but provides permanent security benefits. Use our free SPF/DMARC/DKIM Checker to verify your current configuration, then follow the setup guides to close any gaps. Also ensure you've got strong, unique passwords protecting your accounts and error-free professional communications as additional security layers. Don't wait until you're dealing with a compromised account, angry recipients, or financial loss—check your email authentication today and take control of your email security.
Frequently Asked Questions
Q1Can I be hacked even with SPF/DMARC/DKIM set up?
Yes, but these protect against spoofing, not account compromise. If someone steals your actual password, they can log into your account regardless of authentication records. Use strong passwords and 2FA to prevent account takeover. SPF/DMARC/DKIM prevent others from impersonating your email address.
Q2Why do I still receive spam from my own email address?
You're seeing spoofing—the "from" address is forged, but the email didn't come from your account. Check your sent folder; if it's empty, your account isn't compromised. Set up SPF/DMARC to prevent others from spoofing your address to others (though it won't stop spoofed emails to yourself).
Q3Will strict DMARC (p=reject) block legitimate emails?
Only if they fail authentication. Start with p=none to monitor, review reports for 2-4 weeks to catch any legitimate senders without proper setup, then gradually move to quarantine and reject. This ensures you don't accidentally block important mail.
Q4Do I need all three (SPF, DKIM, DMARC)?
For maximum protection, yes. SPF verifies sending servers, DKIM verifies message integrity, DMARC enforces the policy. Using only one or two leaves gaps. Together, they create layered security that's extremely difficult to bypass.
Q5How long does DNS propagation take after adding records?
Typically 1-4 hours, but can take up to 48 hours for global propagation. Use our checker after a few hours to verify records are active. If still not showing after 48 hours, double-check syntax and DNS provider configuration.
Q6Can small businesses or individuals use SPF/DMARC/DKIM?
Absolutely! These aren't just for enterprises. If you have a custom domain email (you@yourdomain.com), you should set up authentication. Most email providers (Gmail, Outlook) make it straightforward, and our guides walk you through each step.
Q7What are DMARC reports and should I read them?
DMARC reports show authentication results for emails claiming to be from your domain. They reveal spoofing attempts, misconfigured services, and deliverability issues. Review reports monthly to spot problems early—you'll see who's trying to spoof your domain and whether legitimate mail is passing authentication.