Clean Sheet · by Crowswatch

Which clubs keep a clean sheet against email spoofing?

We checked the public email security of every Premier League and Championship club: how easily a scammer could spoof the club domain to send fake ticket, transfer, or merchandise emails to fans. The further down the pyramid you go, the easier your club is to impersonate.

14 of 44 clubs have not enabled the standard protection that stops criminals impersonating them to fans.

All checks are public DNS lookups: standard, non-intrusive security research. Last checked 13 July 2026.

The divide

Premier League vs Championship

Top-flight clubs generally have more to spend on IT, and it shows in their email defences.

Premier League

C

Average grade

72/100

Average score

80% fully protected

16 of 20 clubs enforce DMARC, the control that stops spoofing.

Championship

D

Average grade

59/100

Average score

58% fully protected

14 of 24 clubs enforce DMARC, the control that stops spoofing.

The table

Every club, ranked

Tap any club to see the checks behind its grade. A club marked spoofable has not enabled DMARC enforcement, so its domain can still be impersonated.

Premier League

20 clubs

Championship

24 clubs

Methodology

How we score, in full

Every score is out of 100 and reproducible from public DNS. The control that actually stops spoofing, DMARC enforcement, carries the most weight.

DMARC policyreject 55, quarantine 44, p=none 8, no record 0
SPFhard fail -all 22, soft ~all 15, neutral ?all 4, +all or missing 0
DKIMsignature detected 13
MTA-STS (bonus)published 4
TLS-RPT (bonus)published 3
BIMI (bonus)published 3

Grades: A from 90, B from 75, C from 60, D from 45, E from 25, F from 0. Only a reject policy can reach an A.

A DMARC record set to p=none is published but not protecting, so it scores poorly despite existing. SPF strength is read from the record, DKIM from common selectors, and the maturity records are bonus tie-breakers only.

What “spoofable” means: a club is labelled spoofable when its primary domain has no DMARC record, or a DMARC record set to p=none. Both are confirmed states from a successful DNS lookup. It is a defined technical state, not a judgement.

Which domain we check: each club primary email domain, the one that carries the club mail (it has MX records and the DMARC policy), which is what a scammer would impersonate. This is not always the obvious .com: we resolve it per club by following the club web presence and confirming which domain actually handles email, so a club is never judged on a domain it does not send fan mail from.

When DNS does not resolve: a lookup that times out or fails is not treated as an absent record. We re-query, and any club we still cannot determine is held back as unable to verify rather than ranked bottom or labelled spoofable.

Every check is a public DNS lookup. Nothing intrusive, nothing that is not already publicly queryable.

Is your club, or your business, at risk?

Crowswatch runs these exact checks on any domain, free, and shows you how to close the gap. Closing it takes one DNS change for most clubs.

Clean Sheet checks the 44 Premier League and Championship clubs of the 2025-26 season using public DNS records only. It is published by Crowswatch as standard, non-intrusive security research. Figures describe the configuration of each club public email domain at the last check and can change as clubs update their DNS.