Outside-In Vendor Email Security Diagnostic

Can Your Vendors
Be Spoofed?

We assess your vendors' email security posture from the outside using public email-domain records, lightweight public-web validation, registration context, and related internet-facing signals.

No credentials. No access. No vendor cooperation required.

Scan 1 Vendor Free Full Audit from $499

Provider-agnostic · Delivered in minutes · Free 1-domain scan

MOORLI VendorRiskDiagnostic

42 Rules · 6 Categories · Provider-Agnostic

Findings roll up into 4 scored report pillars: Spoofing, Identity, Transport Maturity, and Infrastructure.

DMARC

Spoofing
Exposure

10 rules

SPF

Sender
Integrity

9 rules

DKIM

Message
Integrity

7 rules

TLS

Transport
Maturity

4 rules

MAIL

Mail Infra
Hygiene

8 rules

REP

Reputation &
Risk Signals

4 rules

Questionnaires Can Miss What Public Signals Expose.

Their security questionnaire says "Yes, we have DMARC." Our outside-in scan shows it's set to p=none — which means failing messages are not being asked to quarantine or reject at the receiver.

📋 Vendor Security Questionnaire

Do you have a DMARC policy?✓ Yes

Do you use SPF authentication?✓ Yes

Do you sign emails with DKIM?✓ Yes

Do you publish MTA-STS / TLS-RPT controls?✓ Yes

Do current reputation signals show elevated risk?✓ No

✅ Vendor passes all checks. Approved.

FALSE SENSE OF SECURITY

🔬 MOORLI VendorRiskDiagnostic

✗

VRD-DMARC-004 DMARC policy is p=none (Not Enforced)

VRD-SPF-012 SPF terminal policy is weaker than -all (~all soft fail)

VRD-DKIM-027 Weak DKIM key signal inferred from discovered selectors (best-effort external signal)

VRD-ADV-020 MTA-STS not published (transport maturity gap)

✓

VRD-REP-039 No adverse external corroboration signal returned (No active signal)

HIGH RISK

1 failure · 3 warnings · 1 pass — 5 of 42 rules shown

The questionnaire says covered. The scan shows outside-in gaps.

Three Steps. Five Minutes. Done.

Replace weeks of vendor questionnaire back-and-forth with one automated scan.

Paste Your Vendor Domains 1 FREE

Copy/paste up to 50 (Standard) or 100 (Executive) vendor domains from your AP list. Scan 1 vendor completely free to verify data quality before you buy.

42-Rule Diagnostic Scan

Our engine checks DMARC spoofing exposure, SPF sender integrity, DKIM signing signals, transport/reporting maturity, mail infrastructure hygiene, and selected external corroboration signals / registration-age context using public email-domain records, lightweight public-web validation, and related internet-facing signals. No vendor credentials or provider access needed.

Download Your Report

Get a PDF + HTML report showing which vendors show stronger outside-in email impersonation exposure indicators based on publicly observable signals. Executive tier adds a PowerPoint deck, remediation email templates, and a 30-day rescan with delta analysis. Agency accounts can also enable white-label branding.

For MSPs & IT Consultants

Need This for Clients?

Stop wasting billable hours on manual vendor questionnaires. Generate a client-ready outside-in vendor email risk diagnostic within minutes and walk into QBRs with evidence.

See Agency Pricing Compare Plans

Executive tier includes: PDF + HTML report + PowerPoint deck + Remediation templates + One 30-day rescan

You Don't Need Their Password.
You Need Their Domain.

See what an attacker sees — before they use it.