Free Email Security Test

Name: Barrion
Availability: InStock
Author: Barrion

Free tool

Validates SPF, DKIM, and DMARC DNS records to stop attackers from spoofing your domain. Runs in seconds against any domain, no signup, with step-by-step fixes.

SPF record check
DKIM validation
DMARC policy check

No credit card requiredProduction-safe (100% passive)No setup or code required

Trusted by 3,500+ security & engineering teams

What you get for free

18 core security checks via this tool, passive scans, step-by-step remediation, security score on every result.

What Essential adds at $39/mo

+17 advanced checks, continuous monitoring, daily security score history, email alerts, GitHub SAST, board-ready PDFs, SOC 2 / ISO 27001 / PCI reports.

See pricing

How to fix common issues

Keep SPF under 10 DNS lookups (flatten or consolidate providers)
Rotate DKIM keys and use at least 2048‑bit where supported
Move DMARC from p=none to quarantine/reject once aligned and monitored

Examples (good vs bad)

Good SPF: v=spf1 include:spf.provider.com -all

Bad SPF: v=spf1 a mx ip4:0.0.0.0/0 ~all

What this test checks

SPF: record presence, syntax, includes, and DNS lookup count
DKIM: selector discovery, key length hints, alignment notes
DMARC: policy (none/quarantine/reject), alignment, rua/ruf reporting

Across 908 recent SPF/DKIM/DMARC checks, 33.0% are missing at least one of the three. Email auth is the lowest-effort high-impact email security control most teams skip.

What is email domain security?

Email authentication relies on DNS records that tell receiving servers which hosts can send on your behalf (SPF), how to verify message integrity (DKIM), and what to do with failures (DMARC). A solid setup dramatically reduces spoofing and improves deliverability.

Implementation examples

Once you've identified the gap, applying the fix is straightforward. Here are the three configurations developers reach for most often.

BIND zone file

example.com.            IN  TXT  "v=spf1 include:_spf.google.com -all"
selector1._domainkey    IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..."
_dmarc                  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

Cloudflare (API)

# SPF
{ "type": "TXT", "name": "example.com",
  "content": "v=spf1 include:_spf.google.com -all", "ttl": 3600 }

# DKIM
{ "type": "TXT", "name": "selector1._domainkey.example.com",
  "content": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE...", "ttl": 3600 }

# DMARC
{ "type": "TXT", "name": "_dmarc.example.com",
  "content": "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s",
  "ttl": 3600 }

AWS Route 53 (change-resource-record-sets)

{
  "Changes": [
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "example.com.",
        "Type": "TXT",
        "TTL": 3600,
        "ResourceRecords": [
          { "Value": "\"v=spf1 include:amazonses.com -all\"" }
        ]
      }
    },
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "_dmarc.example.com.",
        "Type": "TXT",
        "TTL": 3600,
        "ResourceRecords": [
          { "Value": "\"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s\"" }
        ]
      }
    }
  ]
}

Tool-specific questions

What does this email security test check?

This check verifies your domain's email configuration: SPF (which hosts can send for you), DKIM (message integrity), and DMARC (policy and reporting). A solid setup reduces spoofing and improves deliverability. Use this free tool to validate your DNS records and get actionable recommendations.

Should DMARC be p=none?

Use p=none to monitor initially, then move to quarantine/reject to block spoofing.

How many DKIM selectors?

At least two for rotation. Rotate keys on a defined cadence.

What breaks SPF?

Too many includes/lookups, broad IP ranges, and missing -all at the end.

Why Barrion

Built for the engineers who already have enough to fix.

Speed

Real-time results

Instant analysis with a detailed report. You see findings as the scan runs, not after.

Coverage

Comprehensive checks

35+ checks per scan covering TLS, headers, CORS, cookies, DNS, email auth, and more, in a single pass.

Action

Step-by-step fixes

Every finding ships with the exact remediation step for your framework. Hand it to the engineer who owns the surface.

Other tools

More free checks, for the rest of your surface.

Related guides

Go deeper on the same topic.

Learn

Email Security

Per-check explainer covering what it is, why it matters, and how Barrion verifies it.

Fix guide

Email Authentication Spf Dkim Dmarc

Step-by-step remediation with config examples for Nginx, Apache, and Node.

Guide

Spf Dkim Dmarc Guide

Long-form implementation guide from the Barrion engineering blog.

FAQ

Frequently asked.

What is Barrion and how does it enhance website security?

Barrion is a security testing and monitoring platform for engineering teams, covering three products: passive DAST that continuously watches your live web apps and APIs, SAST via GitHub that scans your codebase for secrets, insecure patterns and vulnerable dependencies, and AI pentesting that runs active, agent-driven attacks with proof-of-exploit. Findings come with step-by-step fixes you can ship immediately.

How safe is Barrion to use for security testing?

Every default Barrion scan is 100% passive and read-only. We never submit forms, brute-force endpoints or interact with state-changing routes, so it's safe to run against production.

What types of security issues does Barrion identify?

Barrion is a security testing and monitoring platform, so coverage spans three surfaces. Passive DAST flags misconfigurations across TLS/HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF/DKIM/DMARC), network exposure and common web hygiene issues. SAST via GitHub finds secrets in code, insecure patterns and vulnerable dependencies. AI pentesting adds exploitable findings like SQL injection, XSS and broken access control with proof-of-exploit.

What specific security checks does Barrion perform?

Barrion checks TLS/HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues, then prioritises them by severity with clear remediation.

What is Barrion's smart crawling?

Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.

How often does Barrion perform security scans?

Manual scans on demand. Continuous monitoring runs automatically on Essential (weekly+) and Business (daily), and alerts you the moment a new issue appears.

Is Barrion suitable for security testing of all business sizes?

Yes. Barrion is a security testing and monitoring platform, with passive DAST, SAST via GitHub and AI pentesting available to solo developers, startups, scale-ups and enterprise security teams alike, without adding headcount.

How does Barrion handle data security and privacy during security testing?

Scans are passive and read-only by default, and we never store or expose sensitive data from your application. Pentests are rate-limited and non-destructive, designed to confirm exploitability without altering data or affecting availability.

What if I'm not satisfied with Barrion's security testing service?

Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.

How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?

Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.

Anything else? Email contact@barrion.io.

Run a full report on your site.

Free first scan covers every check, no signup needed. Sign up to save the report and turn on continuous monitoring.

Get free report See pricing