Free DMARC Scan & Email Spoofing Check | LAN Services Free email security check Can Anyone Send Email Pretending To Be You? DMARC is the email standard that decides whether a stranger can put your domain in their “From” line. If yours isn’t configured, attackers can spoof your firm to your clients, your partners, and the IRS. Run a free scan below and find out where you stand. Run My Free DMARC Scan What Is DMARC? 100% Free · No Email Required Run Your Free DMARC Evaluation Enter your domain below. In about 60 seconds you’ll get a plain-English report on your DMARC, SPF, and DKIM posture. No signup required to scan · We don’t sell your data · Results are yours to keep Most accounting and finance firms have a hidden problem with their email: anyone in the world can send mail that looks like it came from your domain. Not just look-alike domains — your actual domain. The receiving inbox sees “from: [email protected]” and treats it as legitimate. That’s why fake IRS notices, fake wire-instruction changes, and fake invoice updates work so well against accounting firm clients. DMARC is the standard that fixes this. When it’s configured correctly, mail servers around the world refuse to deliver email that fakes your domain. When it isn’t, you’re a free spoofing target — and most firms aren’t. Why This Matters For Accounting Firms Specifically Email is the #1 attack vector against firms handling financial data. Domain spoofing is how the most expensive attacks start. 💰 Wire & Invoice Fraud Attackers spoof your firm to send fake “the wiring instructions changed” emails to your clients. Six- and seven-figure transfers get redirected before anyone notices. 🏛️ Fake IRS & Client Notices Tax-season campaigns spoof CPA and EA firm domains to trick clients into clicking “IRS portal” links — which then steal their credentials and tax data. 🤝 Damaged Client Trust When a client gets phished by an email that looks like it came from you, your reputation pays the price — even if the technical compromise wasn’t on your end. 📉 Email Deliverability Drops Without DMARC, your real mail is more likely to land in spam. Major receivers (Gmail, Yahoo, Microsoft) now require DMARC for high-volume senders. 90%+ of business email compromise attacks against accounting and finance firms involve domain spoofing or look-alike domains. DMARC is the cheapest, fastest defense. How DMARC Actually Works DMARC builds on two older standards (SPF and DKIM) and tells receiving servers what to do when an email fails authentication. 1 Email Sent An email claiming to be from your domain arrives at the recipient’s mail server. 2 SPF + DKIM Checked The server checks if the sender is authorized (SPF) and if the message hasn’t been tampered with (DKIM). 3 DMARC Applied If checks fail, DMARC tells the server what to do: deliver anyway, send to spam, or reject outright. 4 You Get Reports DMARC sends you daily aggregate reports so you can see who’s sending mail as your domain — including attackers. The three DMARC policies DMARC has three enforcement levels. Most firms are stuck on the weakest one — or have no DMARC at all. p=none Monitor only — no protection The default. Tells receivers “let everything through, but send me reports.” Useful as a starting point. Useless as a defense. Most firms with DMARC are stuck here. p=quarantine Send to spam if it fails Suspicious mail gets delivered but routed to the spam folder. Better than nothing, but still gets in front of users. p=reject Block it completely — full protection Mail that fails authentication is rejected outright. This is the goal. Domain spoofing becomes mathematically impossible against major receivers. What a DMARC record actually looks like DMARC is a single TXT record in your domain’s DNS. Here’s an example: # DNS TXT record at: _dmarc.yourfirm.com v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100 That single line, deployed correctly, blocks spoofing of your domain across the entire global email system. What The Scan Will Tell You In 60 seconds you’ll know exactly where your domain stands. The report covers: Whether DMARC is configured at all Your current DMARC policy (none, quarantine, or reject) SPF record presence and configuration errors DKIM signing status DMARC alignment for SPF and DKIM Reporting addresses (rua/ruf) Common DMARC misconfigurations Specific recommendations to harden your setup Privacy note: The scan only checks public DNS records. It cannot see inside your mail, doesn’t log into anything, and doesn’t require credentials. Common Issues We Find On Accounting Firms These show up almost every time we run a DMARC audit on a firm that hasn’t had email security professionally configured. 🚫 No DMARC At All The most common finding. Anyone can spoof your domain right now. The fix is one DNS record and is usually deployable the same day. ⚠️ Stuck On p=none The firm set up DMARC but never moved past monitoring mode. Reports are coming in (or being ignored) but nothing is being blocked. 🔧 Broken SPF Records SPF records are commonly malformed — too many DNS lookups, missing legitimate senders (M365, MailChimp, QuickBooks), or syntax errors that silently break authentication. 🔑 DKIM Not Signed Or Misaligned Mail goes out unsigned, or signed with a key that doesn’t align with the From domain. DMARC enforcement requires alignment. 📭 Reports Going Nowhere Reporting addresses are missing, broken, or pointed to mailboxes nobody monitors. Without reports you can’t safely move to enforcement. 📨 Third-Party Senders Forgotten Forgotten that QuickBooks, your CRM, your ticketing tool, your e-signature platform all send mail “from” your domain. They each need to be authorized — or DMARC will block your real business mail. What To Do With Your Scan Results Whether you fix it yourself or have us fix it, the path is the same. Here’s the four-step plan. 1 Deploy DMARC at p=none Start in monitor mode and route reports to a mailbox you actually watch. 2 Inventory Your Senders Find every system that sends mail as your domain — M365, QuickBooks, marketing tools, etc. — and authorize each. 3 Move To p=quarantine Once authentication is clean, ramp to quarantine for a few weeks while watching reports. 4 Enforce p=reject The destination. Spoofing of your domain becomes blocked across the global email ecosystem. Done correctly, this entire process takes most accounting firms about 30 days. Done incorrectly, it can break your real email — which is why most firms never finish it. Have Us Fix It For You — Free Audit First Frequently Asked Will the scan affect my email or my domain? No. The scan only reads publicly available DNS records. It doesn’t touch your mailboxes, your servers, or your accounts. You can run it as often as you like. How long does it take to actually deploy DMARC? The DNS record itself takes about five minutes. Doing it safely — without breaking your real mail — takes most firms 30 days because you have to monitor reports and authorize all your real senders before turning on enforcement. Rushing this step is how DMARC projects break legitimate email. I’m using Microsoft 365. Don’t they handle this for me? No. M365 handles your inbound filtering and provides DKIM signing for your outbound mail, but the actual DMARC policy on your domain is something you have to publish and manage yourself. M365 ships with DMARC off by default. Is DMARC required for compliance? It isn’t named explicitly in the FTC Safeguards Rule, but it directly implements several required controls (access control, integrity protection, anti-impersonation). Cyber insurance carriers increasingly ask for DMARC enforcement on the application. Major receivers like Gmail and Yahoo now require it for bulk senders. Does this also stop look-alike domains (like “yourfırm.com”)? No — DMARC only protects your exact domain. Look-alike domains (typo-squats, IDN homograph attacks) are a separate problem solved by DNS monitoring and email filtering on the receiving side. We cover both as part of our email protection service. What if I have multiple domains? Each domain needs its own DMARC record. Inactive domains used only to receive (or that don’t send mail at all) should be configured with a strict “reject” policy and no senders — preventing them from being used to spoof you. Related Services Phishing & Email Protection Layered email security plus ongoing awareness training… WISP & FTC Safeguards Compliance Audit-ready documentation, designated point of contact… Endpoint Security & EDR Modern threat detection and response on every device… Get The Whole Picture, Not Just DMARC The DMARC scan tells you about email spoofing. The Free IT Risk Analysis tells you everything — backups, endpoints, compliance, downtime, dark web exposure — and what it would take to fix it. No obligation. Book My Free Risk Analysis