Cybersecurity
Email remains one of the most critical communication channels for professional services firms, yet many London-based SMBs have no idea whether their email domain security is actually working. Cyber attackers exploit weak email configurations daily, targeting solicitors, accountants, and financial advisers who handle sensitive client data. The good news? You can check your email domain security free using standard industry tools in less than a minute. This brief guide shows you exactly how.
Your email domain is the foundation of your organisation's digital identity. When configured incorrectly, it becomes a vulnerability that attackers actively target. Spoofing—where criminals send emails that appear to come from your domain—is particularly common in professional services. A fake email from "your solicitor" or "your accountant" can convince clients to transfer funds or share confidential information.
The consequences extend beyond direct fraud. Poor email domain security damages client trust, invites regulatory scrutiny, and can trigger breach notifications under UK data protection laws. If your firm handles personal data, the Information Commissioner's Office (ICO) expects you to have reasonable technical and organisational measures in place. This includes email authentication.
The encouraging truth is that implementing and verifying basic email security requires minimal investment. Three simple protocols—SPF, DKIM, and DMARC—form the industry standard defence. Checking whether these are correctly configured takes seconds.
SPF tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain. Without it, anyone can claim to send from your address. An SPF record is a simple text entry in your domain's DNS settings that lists your legitimate email servers.
What a working SPF record looks like: v=spf1 include:_spf.google.com ~all (if you use Google Workspace) or your email provider's equivalent.
DKIM adds cryptographic signatures to your outgoing emails. It works like a digital seal—receiving servers can verify that messages actually came from your domain and haven't been tampered with in transit. Unlike SPF, DKIM is harder to spoof because it uses public-key cryptography.
DMARC is the enforcement layer. It tells receiving mail servers what to do if an email fails SPF or DKIM checks—accept it, quarantine it, or reject it. DMARC also generates reports showing you exactly which emails are passing and failing authentication, giving you visibility into potential spoofing attempts.
The fastest way to check your email domain security free is through a dedicated DMARC testing tool. Services like MXToolbox, DMARC.org, and Google's own admin tools provide instant feedback on all three protocols.
Step-by-step process:
The entire process takes 30 seconds. The tool will immediately show you:
If you use Google Workspace, Microsoft 365, or another managed email service, your provider offers built-in security checking tools.
Google Workspace: Navigate to Security > Authenticate Email > Manage Authentication. You'll see the status of SPF, DKIM, and DMARC for your domain in real time.
Microsoft 365: Go to Exchange Admin Center > Mail flow > DMARC Records. The interface shows compliance rates and authentication failures over time.
These tools often provide more context than generic checkers because they understand your specific configuration.
If you prefer direct verification, use command-line tools like nslookup or dig to query your DNS records directly:
nslookup -type=TXT yourfirm.co.uk to view all TXT records (which include SPF)nslookup -type=CNAME default._domainkey.yourfirm.co.uk to check DKIMnslookup -type=TXT _dmarc.yourfirm.co.uk to view your DMARC policyThis method requires technical familiarity but gives you direct access to the source.
Once you've checked your email domain security, you'll see one of three scenarios:
Everything is green: Your domain is correctly configured. Maintain these records, monitor DMARC reports for anomalies, and review quarterly.
Some records are missing: This is common, especially with SPF or DMARC. Contact your IT team or email provider and request they add the missing records. Implementation typically takes minutes to hours.
Records exist but show warnings: This suggests misconfiguration. Common issues include overly permissive SPF policies (using ~all instead of -all) or DMARC policies set to "monitor" instead of "enforce." These need technical correction but are straightforward to fix.
For London-based professional services firms managing sensitive client information, implementing robust email authentication isn't optional—it's a fundamental control. Beyond the technical checks, consider a broader email security review. Tools like DMARC reporting reveal whether unauthorised actors are attempting to spoof your domain; if you're seeing failed authentication attempts, that's a warning sign worth investigating further.
If your initial check reveals gaps, don't delay remediation. Email spoofing targeting professional services is increasing, and regulators expect firms to have these defences in place. Whether you manage this internally or partner with a specialist, the investment is minimal compared to the risk of a compromised email domain leading to client fraud or data breach.
VP Shield runs six passive checks across DNS, TLS, headers, SPF, DKIM, DMARC and subdomain takeover — no login, no install, no port scans. Results in 15 seconds.
Scan your domain now →