Clean Sheet · by Crowswatch
Which clubs keep a clean sheet against email spoofing?
We checked the public email security of every Premier League and Championship club: how easily a scammer could spoof the club domain to send fake ticket, transfer, or merchandise emails to fans. The further down the pyramid you go, the easier your club is to impersonate.
14 of 44 clubs have not enabled the standard protection that stops criminals impersonating them to fans.
All checks are public DNS lookups: standard, non-intrusive security research. Last checked 13 July 2026.
The divide
Premier League vs Championship
Top-flight clubs generally have more to spend on IT, and it shows in their email defences.
Premier League
C
Average grade
72/100
Average score
80% fully protected
16 of 20 clubs enforce DMARC, the control that stops spoofing.
Championship
D
Average grade
59/100
Average score
58% fully protected
14 of 24 clubs enforce DMARC, the control that stops spoofing.
The table
Every club, ranked
Tap any club to see the checks behind its grade. A club marked spoofable has not enabled DMARC enforcement, so its domain can still be impersonated.
Premier League
20 clubsChampionship
24 clubsMethodology
How we score, in full
Every score is out of 100 and reproducible from public DNS. The control that actually stops spoofing, DMARC enforcement, carries the most weight.
Grades: A from 90, B from 75, C from 60, D from 45, E from 25, F from 0. Only a reject policy can reach an A.
A DMARC record set to p=none is published but not protecting, so it scores poorly despite existing. SPF strength is read from the record, DKIM from common selectors, and the maturity records are bonus tie-breakers only.
What “spoofable” means: a club is labelled spoofable when its primary domain has no DMARC record, or a DMARC record set to p=none. Both are confirmed states from a successful DNS lookup. It is a defined technical state, not a judgement.
Which domain we check: each club primary email domain, the one that carries the club mail (it has MX records and the DMARC policy), which is what a scammer would impersonate. This is not always the obvious .com: we resolve it per club by following the club web presence and confirming which domain actually handles email, so a club is never judged on a domain it does not send fan mail from.
When DNS does not resolve: a lookup that times out or fails is not treated as an absent record. We re-query, and any club we still cannot determine is held back as unable to verify rather than ranked bottom or labelled spoofable.
Every check is a public DNS lookup. Nothing intrusive, nothing that is not already publicly queryable.
Is your club, or your business, at risk?
Crowswatch runs these exact checks on any domain, free, and shows you how to close the gap. Closing it takes one DNS change for most clubs.
Clean Sheet checks the 44 Premier League and Championship clubs of the 2025-26 season using public DNS records only. It is published by Crowswatch as standard, non-intrusive security research. Figures describe the configuration of each club public email domain at the last check and can change as clubs update their DNS.

