Score: 45/100 — checked in 303ms
⚠ This domain is spoofable. We can prove it.
DMARC missing — receivers have no policy and will accept spoofed mail by default.
Mail provider: Zoho Mail
Zoho accepts SMTP from clean VPS IPs but applies mailbox-level anti-spoof: rejects inbound mail whose From: matches one of its customer addresses unless authenticated.
Which servers are allowed to send mail as this domain
v=spf1 include:zoho.eu ~all
'~all' (softfail) is permissive — receivers may still accept unauthorized senders
→ Once SPF is verified, tighten to '-all'
1 signing key found at common selectors
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaAg8gSfzm6uUH5BeGcVaXkjMOWYHi9cM5hT0U24K2XZbnImOaW/NDJ+P37swVXMiYe/PF27F2vFVAbcmYfBPxBv9fPgEDi7pnOPrq2Np5We0efhRpn6iRcexH1+LB7I4UlWXB/YoyAgkc1O5NoOe0iHecghEhf0iK6slER81jEQIDAQAB
Selector zmail uses 1024-bit RSA — modern guidance is 2048-bit
→ Rotate to a 2048-bit RSA key (or Ed25519) at the next maintenance window
What receivers should do when SPF/DKIM checks fail
No DMARC record published — receivers have no policy guidance, domain is wide open to spoofing
→ Publish 'v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.tld' to begin observation