Email Spoofability Score: a beginner's guide
Composite spoofability score across SPF/DMARC/DKIM
Spoofability scoring: why SPF × DMARC × DKIM is not an average
Spoofability scoring is the discipline of rolling SPF, DMARC, and DKIM results into a single number that actually reflects how easy it is for an attacker to send email as your domain. The naive version is to grade each protocol independently and average them — which hides the most important truth about email authentication: the protocols interact, and they interact non-linearly. A domain with passing SPF but DMARC set to `p=none` is not "SPF good, DMARC not-quite-good" — it's catastrophically spoofable, because mail servers do whatever they want with failing messages when the domain itself has told them not to care. A domain with strict DMARC at `p=reject` but a weak SPF `~all` is still safer than most deployments, because DMARC enforces alignment regardless of SPF's own posture. The interactions are where real-world spoofability lives.
You should care because spoofability is the outcome metric that actually matters for email-authentication work, and it's almost never what a single-protocol audit measures. A scanner that tells you SPF is a B+, DKIM is an A, and DMARC is a C can lull you into thinking the email posture is decent. In practice, that configuration might be 95% spoofable because the DMARC posture renders the other two irrelevant. Composite scoring with interaction multipliers — the kind Princeton researchers used to analyze real-world DMARC adoption — is the only way to get a number that predicts actual attack success.
The five interaction rules every spoofability score applies:
DMARC `p=none` dominates. If DMARC is in monitor mode, SPF and DKIM alignment failures don't cause the message to be rejected — so even a strict SPF `-all` provides only weak protection.
DMARC alignment trumps raw protocol passes. A message can pass SPF and still fail DMARC if the From-domain doesn't align with the SPF-authenticated domain. This catches header-from spoofing that raw SPF misses.
DKIM presence + DMARC alignment is the strongest signal. A signed message from an aligned domain is very hard to spoof because the attacker would need access to the private signing key.
`~all` in SPF is softer than `-all` but still meaningful under DMARC. Under DMARC enforcement, the difference between `~all` and `-all` matters less than the presence of DMARC `p=reject` itself.
Missing DKIM with permissive DMARC. When DMARC is `p=none`, the absence of DKIM is nearly as bad as SPF `+all` — nothing cryptographic is holding the perimeter.
Three questions a spoofability score answers:
If an attacker tried to send email as my domain right now, how likely would it actually reach the inbox?
Which single protocol change (DMARC to enforcement, DKIM alignment, tightening SPF `-all`) would most reduce my spoofability score?
Across my portfolio, which domains have the highest actual spoofability risk — not just the lowest individual protocol grades?
The cost of a flat-average email-security grade is confusing "looks mostly OK" with "actually locked down." The fix is a composite score with interaction multipliers, used to prioritize remediation work by outcome (reduce spoofability) rather than by raw protocol score. Google's bulk sender guidelines and Microsoft's similar enforcement rules are both ultimately spoofability-driven — passing each vendor's check requires the interaction patterns above, not just individual protocol pass marks.
The Email Spoofability Score endpoint, in plain language
In one sentence: Composite spoofability score across SPF/DMARC/DKIM
Computes a 0–100 email spoofability score by combining SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting and Conformance), and DKIM (DomainKeys Identified Mail) analysis with interaction multipliers that model real-world attacker risk. Unlike a weighted average, this endpoint applies compounding penalties when weak authentication policies interact — for example, DMARC p=none combined with SPF ~all more than doubles the spoofability risk of either alone.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Runs SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting and Conformance), and DKIM (DomainKeys Identified Mail) analysis in parallel, then computes per-protocol protection sub-scores (SPF 30%, DMARC 45%, DKIM 25% base weights). Applies conditional interaction multipliers: DMARC p=none with permissive SPF (~all/+all) adds +30% spoofability; missing DKIM with permissive DMARC adds +20%; SPF with >10 lookups (PermError) disables SPF contribution entirely. Returns a classification (locked_down / moderate / vulnerable / open) with the contributing factors broken out, so remediation work can target the highest-impact gap.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Email Spoofability Score tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
A flat average hides the non-linear way email authentication actually fails. Real-world bypass relies on specific interactions — e.g., Gmail's ARC-aware evaluation treats a missing DKIM (DomainKeys Identified Mail) differently from a failing one. This endpoint surfaces those interaction risks in a single number that's comparable across your portfolio while still being drill-downable for remediation.
Picture this in real life. Imagine an email security lead. Here's the situation they're walking into: Score all owned domains monthly and prioritize the lowest-scoring ones for hardening ahead of Google/Yahoo bulk-sender enforcement. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Email Spoofability Score tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Email Spoofability Score tool is built for you:
Will the emails I send actually reach the inbox, or are they going to spam?
Can someone else send phishing emails pretending to be my domain?
Have I set up the three rulebooks (SPF, DKIM, DMARC) that mailbox providers now require?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Small-business owners worried about deliverability, marketing managers onboarding a new email service, IT admins prepping for a security audit, and brand teams protecting against phishing. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and your real emails risk landing in the spam folder while scammers find it easier to impersonate your brand. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the pro plan. The technical details: `GET /v1/security/spoofability`.
When would I actually use this?
If you're still on the fence about whether the Email Spoofability Score tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an email security lead, a IT integration team, and a CISO — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Portfolio-Wide Deliverability Risk
Imagine you're an email security lead. Score all owned domains monthly and prioritize the lowest-scoring ones for hardening ahead of Google/Yahoo bulk-sender enforcement.
Why it matters: Single number that's comparable across domains and trackable over time.
Story 2: M&A Email Risk Assessment
Imagine you're an IT integration team. Evaluate acquired brands' spoofability to plan authentication uplift during integration.
Why it matters: Factor email-auth debt into acquisition risk models with a quantified score.
Story 3: Executive Risk Reporting
Imagine you're a CISO. Report portfolio email-spoofability trend to the board without surfacing raw SPF/DMARC/DKIM details.
Why it matters: Single, stable, defensible metric for executive risk dashboards.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Email Spoofability Score tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
When setting up email on a brand-new domain.
After signing up for a new email-sending service (Mailchimp, SendGrid, HubSpot, etc.).
When a customer reports that your emails are landing in their spam folder.
Before a security audit, a SOC 2 review, or a major marketing campaign.
If you can see yourself in even one of those bullets, the Email Spoofability Score tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Email Spoofability Score tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Email Spoofability Score tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/security/spoofability?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to score | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
spoofability | number | Spoofability score 0–100 (higher = more spoofable) |
classification | string | locked_down | moderate | vulnerable | open |
sub_scores | object | Per-protocol protection scores (SPF, DMARC, DKIM) 0–100 |
interactions | array | Active interaction multipliers with descriptions and impact |
top_gap | object | Single highest-impact gap to address for the biggest score improvement |
findings | array | Per-protocol findings with severity |
recommendations | array | Prioritized remediation steps |
dns_errors | array | Non-empty when any of SPF (Sender Policy Framework) / DMARC (Domain-based Message Authentication, Reporting and Conformance) / DKIM (DomainKeys Identified Mail) analysis hit a DNS (Domain Name System) infrastructure error (e.g., SERVFAIL, timeout). The score may be incomplete. |
score_degraded | boolean | True when the score is based on partial data — retry before acting on it. |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.