How to download it
- Open a tenant page and click Domain Spoofing to open the scan.
- Wait for the scan to finish (it checks Direct Send and every custom domain your tenant’s users send from).
- Click Download PDF.
{tenant}_domain_spoofing_{date}.pdf.
What’s in the report
The report opens with a cover and summary page that leads with the Direct Send finding, then dedicates one page to each domain.Cover and summary

The scan includes the domains for all users in the tenant, including guest users. Although you won’t be able to modify DNS records for domains you don’t own, it’s still useful to know whether your guests’ email domains can be spoofed.A guest user’s email being spoofed could be a risk to your team or client if they received an email from one of those trusted domains, which is why we surface them in the scan.
- Enabled: Direct Send is allowed, so unauthenticated mail can spoof the domain to the tenant’s own users.
- Disabled: Exchange rejects unauthenticated Direct Send mail, so the vector is closed.
- Unknown: Petra couldn’t read the setting from Microsoft (shown as “Unable to determine direct send enablement status.”).
The report is fully white-labeled and contains findings and risk assessments only, with no vendor names, links, or remediation steps. The fixes, including the PowerShell command to disable Direct Send and links to deeper guidance, live in the product on the Domain Spoofing scan, not in the client-facing PDF.
One page per domain
Each domain gets its own page showing the overall spoofing risk, a status for SPF, DMARC, and DKIM, and for each record: what it means, the risk it creates, and the raw DNS record.
Related
- Domain Spoofing (Direct Send, SPF, DMARC, DKIM) explains every result and how to fix it.