Domain spoofing, sending email that appears to come from your business domain without authorisation, is a real and common threat. Hamilton365 provides this step-by-step guide using free tools to check your current exposure.
Go to MXToolbox and run a DMARC lookup for your domain. No record found = no protection. p=none = monitoring only, no enforcement. p=quarantine or p=reject = enforcement in place.
Run an SPF lookup on MXToolbox. Confirm it includes all legitimate sending sources, Microsoft 365, marketing platforms, invoicing software. Should end in -all (hard fail) not ~all (soft fail).
In Microsoft Defender portal → Email Authentication Settings → DKIM. If showing as disabled, your emails are not cryptographically signed.
Use a free DMARC reporting tool to parse aggregate report XML. Look for sending sources you don't recognise, a signal your domain may be actively spoofed.
Hamilton365 provides email security audits and remediation for Brisbane businesses, including SPF, DKIM, and DMARC review, configuration, and enforcement.
Email Security Audit