100% Free — Unlimited Scans

Email Security Analyzer

Audit email authentication, DNS security, SSL, domain health, and attack surface exposure in one comprehensive scan. 30+ checks. Zero cost.

Domain & IP Security Scanner
Enter one or more domains or IP addresses for a complete email & domain security posture audit
Up to 10 domains, one per line.
Demo:
Scanning security posture...0%
Comprehensive Coverage

30+ Security Checks Across 5 Categories

We go far beyond basic SPF/DKIM/DMARC. Every scan evaluates your full email security posture — authentication to attack surface.

Email Authentication

SPF validation, DKIM key probing across 20+ selectors, DMARC policy enforcement and alignment analysis.

Email AuthenticationThe foundation of email security. SPF defines authorized senders, DKIM provides cryptographic signing, and DMARC ties them together with policy enforcement. Without all three, your domain is vulnerable to spoofing.

Mail Infrastructure

MX records, MTA-STS transport encryption, TLS-RPT failure reporting, and BIMI brand indicators.

Mail InfrastructureMX records route incoming email. MTA-STS enforces TLS encryption. TLS-RPT sends failure notifications. BIMI displays your brand logo in inboxes.

DNS Security

DNSSEC validation, CAA certificate restrictions, nameserver redundancy.

DNS SecurityDNSSEC prevents DNS cache poisoning. CAA restricts which CAs can issue SSL certs. Multiple nameservers ensure availability.

Domain Intelligence

Domain registration data via RDAP, expiry monitoring, registrar identification, domain age maturity.

Domain IntelligenceRDAP reveals registration date, expiry, and registrar. Older domains score higher in reputation. Expiring domains risk outage.

Web & Attack Surface

HTTPS/SSL connectivity, admin panel detection (wp-admin, cpanel, phpmyadmin).

Attack SurfaceExposed admin pages are the #1 brute-force target. Missing HTTPS means traffic interception.

Spoofing Risk Score

Cross-references authentication to calculate how easy it is for attackers to impersonate your domain.

Spoofing RiskCombines SPF, DKIM, and DMARC to estimate spoofing difficulty. Missing DMARC = wide open. Full reject = hardened.
30+
Security Checks
5
Categories
<5s
Scan Time
100%
Free Forever
The Risk is Real

Most domains fail basic security checks.

Attackers don't need sophisticated tools. They just need your domain to be missing a few DNS records.

Domain Spoofing

Without DMARC enforcement, anyone can send email pretending to be your domain. Your customers receive phishing emails that look identical to yours. One successful spoof can destroy years of brand trust overnight.

3.4 billion spoofed emails sent daily

Invisible Vulnerabilities

Expired SSL certs, exposed admin panels, missing DNSSEC — these issues sit silently until they're exploited. Most businesses have no idea their wp-admin or cPanel login is publicly accessible and getting brute-forced daily.

43% of cyberattacks target small businesses

Deliverability Collapse

Misaligned SPF, broken DKIM selectors, or a permissive DMARC policy means your legitimate emails land in spam. Your sales sequences, invoices, and password resets silently disappear into junk folders.

21% of legitimate email never reaches the inbox
How It Works

Full security audit in four steps.

1

Enter Any Domain

Type a domain name — yours, a competitor's, a client's. Single scan or paste up to 10 domains for bulk analysis.

2

30+ Checks Run

We query SPF, DKIM (20+ selectors), DMARC, MTA-STS, BIMI, SSL, DNSSEC, CAA, RDAP, admin panels, and more — all in parallel.

3

Get Your Grade

Weighted A+ through F scoring with a spoofing risk gauge, domain intelligence metrics, and category-by-category breakdown.

4

Fix What's Broken

Prioritized recommendations with copy-paste DNS records. Every fix includes the exact record value to add — no guesswork required.

Built For

Who uses the Email Security Analyzer?

IT Managers

Run a quick audit before your next security review. Catch misconfigurations before auditors do. Export a PDF report that documents your email security posture in detail.

Email Marketers

Verify your sending domain has proper SPF, DKIM, and DMARC before launching campaigns. One missing record can tank your entire send to spam.

MSPs & Agencies

Scan client domains in bulk and identify security gaps across your entire portfolio. Use the export to build audit reports that justify your managed services retainer.

Security Consultants

Use it as a first-pass reconnaissance tool during penetration testing or security assessments. The attack surface scan identifies exposed admin panels that most tools miss.

FAQ

Common questions.

We run 30+ checks across five categories: Email Authentication (SPF, DKIM across 20+ selectors, DMARC), Mail Infrastructure (MX records, MTA-STS, TLS-RPT, BIMI), DNS Security (DNSSEC, CAA, nameservers), Domain Intelligence (registration data via RDAP, expiry, registrar, domain age), and Attack Surface (HTTPS/SSL validation, admin panel detection for wp-admin, cPanel, phpMyAdmin, and more).
Completely free with no limits. No account required, no credit card, no trial period. We built this as a public resource because better email security benefits everyone. TheBRHub offers premium products like DeliverCORE for organizations that need continuous monitoring, but the Email Security Analyzer is free, forever.
Each check is weighted by its security impact. Email authentication (SPF, DKIM, DMARC) carries the highest weight since it directly prevents spoofing. DNS security, SSL, and attack surface exposure are factored in proportionally. The final score maps to an A+ through F letter grade. A spoofing risk score is calculated separately by cross-referencing your authentication policies.
The spoofing risk score estimates how vulnerable your domain is to email impersonation. It analyzes the combination of your SPF policy (restrictive vs permissive), whether DKIM keys exist, and your DMARC policy (none, quarantine, or reject). A domain with no DMARC and a permissive SPF is wide open — anyone can send as you. Full DMARC reject with aligned SPF and DKIM means your domain is hardened against spoofing.
Yes. All data queried is publicly available DNS records and standard web requests. This is the same information anyone can obtain with dig, nslookup, or curl. Use it to audit competitors, evaluate vendors, or assess potential acquisition targets. There's nothing intrusive about the scan — it checks public records only.
Each recommendation includes a priority level (Critical, High, Medium, Low) and the exact DNS record to add or modify. Critical items like missing DMARC or duplicate SPF records should be addressed immediately. Most fixes involve adding a single TXT record to your domain's DNS — which takes about 30 seconds if you know where to go. The tool provides copy-paste record values so there's no guesswork.

Know Your Domain's Security
In Under 5 Seconds

No signup. No limits. No catch. Type any domain and get a full security audit — totally free, forever.

Scan a Domain NowTalk to an Expert