How do I check my SPF, DKIM and DMARC records?

Use the free SPF, DKIM and DMARC checker above. Enter your domain and the tool will instantly check all three email authentication records and give you a security score.

How do I check if my domain is on an email blacklist?

Use the Email Blacklist Checker above. It checks your domain against 12 major blacklists including Spamhaus, Barracuda and SpamCop. Being listed causes emails to be rejected or marked as spam.

How do I check my Microsoft 365 tenant security?

Use the M365 Tenant Discovery tool above. It checks 9 DNS signals to confirm M365 tenancy and surfaces what Microsoft publicly exposes about your tenant — including Teams, Intune and Entra ID configuration.

How do I test if a SharePoint link is publicly accessible?

Use the SharePoint Anonymous Link Tester above. Paste a SharePoint or OneDrive sharing link and the tool will test whether it is genuinely accessible to anyone on the internet without authentication.

How do I detect legacy authentication in Microsoft 365?

Use the Legacy Authentication Detector above. It checks DNS signals for OWA endpoints, IMAP and POP3 servers, and hybrid Exchange configurations that indicate legacy authentication may be enabled — which bypasses MFA entirely.

How do I check if my domain is vulnerable to email spoofing?

Use the Email Impersonation Risk Assessment above. It scores your domain 1-5 for impersonation risk based on SPF, DKIM and DMARC configuration and shows you the exact steps an attacker would take to exploit any gaps.

Free Microsoft 365 Security Tools for IT Administrators and MSPs

Six free tools that surface what Microsoft publicly exposes about any M365 tenant — confirmed entirely from public DNS signals and certificate logs. No Microsoft credentials required. Built for MSPs performing client security assessments and IT admins who want to know what attackers can see before they do.

Free Microsoft 365 Security Tools — M365 Tenant Checker | Sabiki

Free tools — no login required

Free Email and Microsoft 365 Security Tools

12 free tools for IT administrators and MSPs. Check email authentication, test domain spoofing risk, analyse phishing emails, check blacklists, and surface Microsoft 365 tenant exposure — all from public DNS data, no credentials needed.

No login required

Instant results

Nothing stored

PDF reports

Six free tools to audit email authentication for any domain, investigate phishing emails, diagnose SPF failures, understand DMARC policies, check domain blacklisting, and identify email providers. All checks run in your browser via the Cloudflare public DNS resolver. No data is stored or transmitted to Sabiki.

SPF, DKIM and DMARC Checker

Full domain auth check with security score

Email Header Analyser

Detect phishing from raw headers

SPF Record Lookup and Validator

Validate DNS lookup chains

DMARC Record Checker

Plain-English DMARC policy explainer

MX Record Lookup

Identify email providers by MX

Email Blacklist Checker

Check 12 major blacklists

SPF, DKIM and DMARC Checker

Email Header Analyser

SPF Record Lookup and Validator

DMARC Record Checker

MX Record Lookup

Email Blacklist Checker

SPF, DKIM and DMARC Checker — Free Email Authentication Test

Check SPF, DKIM and DMARC records for any domain. Tests 25+ common DKIM selectors automatically and generates an overall email security score. The fastest way to verify your domain is protected against email spoofing.

Link copied!

Want full email security for your M365 tenants?

Try Sabiki free

Email Header Analyser — Phishing and Spoofing Detector

Paste raw email headers to visualise the delivery path, check SPF, DKIM and DMARC authentication results, and detect phishing indicators including mismatched Reply-To addresses, failed authentication, and suspicious originating IPs.

Investigating phishing across multiple M365 tenants?

See Sabiki Email Security

SPF Record Lookup and Validator — DNS Lookup Limit Checker

Fetch, flatten and validate any SPF record. Recursively resolves all include: chains, counts DNS lookups against the 10-lookup limit that causes delivery failures, and lists all permitted sending IP ranges.

Link copied!

Secure your clients M365 identities automatically.

See Tenant Shield

DMARC Record Checker — Free DMARC Policy Lookup and Explainer

Look up a DMARC record and get a plain-English explanation of every tag — policy, alignment, reporting, and coverage. Includes a DMARC strength score and specific recommendations for hardening your policy.

Link copied!

Want to see the full security posture of any M365 tenant?

Try Sabiki free

MX Record Lookup — Email Provider Identifier

Look up MX records for any domain and automatically identify the email provider — Microsoft 365, Google Workspace, Mimecast, Proofpoint, and more. Useful for MSP prospecting and migration planning.

Link copied!

Running M365? Add AI-powered email security in minutes.

See Sabiki Email Security

Email Blacklist Checker — Check if Your Domain or IP is Blacklisted

Check if your domain's sending IP appears on 12 major email blacklists including Spamhaus ZEN, Barracuda, SpamCop and others. Being listed causes emails to be rejected or routed to spam by receiving servers worldwide.

Link copied!

Protect your M365 tenants from email threats at source.

See Sabiki Email Security

Six free tools that surface what Microsoft publicly exposes about any M365 tenant — detected entirely from public DNS signals and certificate logs. No Microsoft credentials required. Designed for MSPs performing client security assessments and IT admins checking their own exposure before an attacker does.

M365 Tenant Security Check

9 DNS signals, confidence rating

Microsoft 365 Email Security Posture

M365-specific SPF, DKIM, DMARC

SharePoint Anonymous Link Tester

Test if sharing links are truly public

Subdomain Discovery Tool

Certificate transparency log scan

Email Spoofing Risk Checker

Impersonation risk score 1-5

Legacy Authentication Detector

OWA, IMAP, hybrid Exchange

M365 Tenant Security Check

Email Security Posture

SharePoint Link Tester

Subdomain Discovery

Email Spoofing Risk

Legacy Auth Detector

Free Microsoft 365 Tenant Security Check — M365 Exposure Audit

Checks 9 DNS signals to confirm M365 tenancy and surface which Microsoft services are publicly detectable — Exchange Online, Teams, Intune, Entra ID device join and more. Shows exactly what an attacker can discover about this tenant before launching an attack.

Why we check this: Every DNS record that confirms M365 usage is public intelligence. Attackers query these during reconnaissance to map services, confirm cloud infrastructure, and identify attack surfaces before targeting an organisation. This tool shows you what they find.

Link copied!

See what is exposed inside the tenant — OAuth apps, sharing links, forwarding rules

Try Exposure Monitor free

Microsoft 365 Email Security Posture — M365 Domain Security Assessment

Combines SPF, DKIM, DMARC and MX analysis with M365-specific intelligence to assess whether EOP is active, whether Defender is likely deployed, whether SPF is approaching the lookup limit, and whether third-party senders are correctly configured.

Why we check this: Email is the primary attack vector for phishing and business email compromise. A domain with weak authentication is trivial to impersonate. This tool surfaces the specific gaps in your M365 email configuration that attackers look for.

Link copied!

Protect M365 tenants with API-native email security — no MX changes required

See Sabiki Email Security

SharePoint and OneDrive Anonymous Link Tester — Check if Sharing Links are Public

Paste a SharePoint or OneDrive sharing link to test whether it is genuinely accessible to anyone on the internet without authentication. Shows HTTP access status, identifies the file type, and gives specific remediation steps.

Why we check this: Anonymous sharing links have no expiry by default and no audit trail. Files shared by employees who have left the company remain accessible indefinitely. A link shared in a Slack message, email forward, or browser history can expose sensitive documents to anyone who finds it.

This tool tests a single link. Sabiki Exposure Monitor scans your entire tenant and surfaces every anonymous share — including forgotten ones on sensitive files. Try it free

Find every anonymous share across your entire M365 tenant

Try Exposure Monitor free

Free Subdomain Discovery Tool — Certificate Transparency Log Scanner

Queries public Certificate Transparency logs to surface every subdomain that has ever had an SSL certificate issued — revealing forgotten admin portals, legacy systems, shadow IT, and unmanaged infrastructure that attackers find during reconnaissance.

Why we check this: Certificate Transparency logs are permanently public and searchable by anyone, including attackers. Every subdomain ever issued an SSL certificate is logged. Attackers query crt.sh during pre-attack reconnaissance to discover forgotten high-value targets — old HR portals, legacy CRMs, test environments — that IT teams have forgotten about but are still live and unpatched.

Link copied!

Want to see what is exposed inside the tenant — not just at the surface?

Try Exposure Monitor free

Email Spoofing Risk Checker — Domain Impersonation Risk Assessment

Answers the question every IT admin and CISO should ask: how easy is it right now for an attacker to send a convincing email appearing to come from this domain? Scored 1-5 with a plain-English verdict and the exact attacker steps for the current configuration.

Why we check this: Business Email Compromise attacks cost organisations billions annually. Most succeed not because of sophisticated malware but because the target domain has weak or missing email authentication — making it trivial to spoof a CEO, finance director, or trusted supplier. This tool tells you exactly how hard or easy that is for any domain right now.

Link copied!

Protect M365 tenants from phishing and BEC with API-native email security

See Sabiki Email Security

Microsoft 365 Legacy Authentication Detector — Hybrid Exchange Security Check

Detects DNS patterns indicating incomplete M365 migration, active on-premises Exchange servers, OWA endpoints, IMAP and POP3 services, and SMTP relays — all of which may accept Basic Authentication that bypasses MFA entirely.

Why we check this: Legacy authentication protocols bypass Multi-Factor Authentication entirely. An attacker with a stolen password can sign in via IMAP, POP3, or OWA even if MFA is enforced. Microsoft has been disabling legacy auth globally but many hybrid tenants still have it active — often unknowingly. This tool surfaces those indicators from public DNS.

Link copied!

Get the full M365 security posture of any tenant — identity, exposure, and email

Try Sabiki free

About these free security tools

These tools are provided free by Sabiki, a Microsoft 365 security platform for MSPs and IT administrators. All checks run entirely in your browser using the Cloudflare public DNS-over-HTTPS resolver and the crt.sh public Certificate Transparency API. No domain names, results, or email headers are stored by Sabiki.

The email security tools cover SPF, DKIM and DMARC authentication checking, email header analysis for phishing detection, SPF record validation, DMARC policy explanation, MX record lookup and email provider identification, and email blacklist checking. The Microsoft 365 tools cover tenant discovery and exposure assessment, M365-specific email security posture, SharePoint anonymous link testing, subdomain discovery from certificate transparency logs, email spoofing risk assessment, and legacy authentication and hybrid Exchange detection.

Related Sabiki resources

Sabiki Email Security for Microsoft 365 Tenant Shield — SSPM for M365 Exposure Monitor Sabiki for MSPs Security blog Start free trial