What Is Email Spoofing?

Email spoofing is the act of forging the sender information in an email message to make it appear as if it came from a trusted source — such as your company, a bank, or a well-known brand. Because the original email protocol (SMTP) was designed without authentication in mind, the From: address in an email can be set to anything, with no built-in verification.

Attackers use spoofing to conduct:

  • Phishing attacks — Tricking recipients into revealing credentials or clicking malicious links
  • Business Email Compromise (BEC) — Impersonating executives to authorize fraudulent transactions
  • Spam campaigns — Using your domain's reputation to bypass spam filters
  • Malware distribution — Sending infected attachments that appear to come from trusted senders

How Spoofing Attacks Work

An attacker doesn't need access to your email account to spoof your domain. Using freely available SMTP tools or services, they can send an email with any address in the From: header. Without authentication records in place, receiving mail servers have no way to distinguish this fake email from a legitimate one.

There are two types of spoofing to be aware of:

Exact Domain Spoofing

The attacker uses your exact domain (e.g., ceo@yourcompany.com) in the From header. This is the most dangerous form and is directly addressed by SPF and DMARC.

Lookalike Domain Spoofing

The attacker registers a similar domain (e.g., yourcompany-support.com or yourcornpany.com) and sends email from it. This requires separate mitigation strategies such as domain monitoring and lookalike domain registration.

How Email Authentication Stops Spoofing

ProtocolHow It Prevents Spoofing
SPFSpecifies which IPs are allowed to send as your domain; unauthorized sources fail SPF
DKIMCryptographically signs messages; forged emails can't produce a valid signature
DMARCEnforces policy (reject/quarantine) when SPF or DKIM fails, and requires alignment with the From header

The critical element is the DMARC alignment requirement. Even if an attacker passes SPF by sending from an authorized IP, DMARC's alignment check ensures the SPF-authenticated domain matches the visible From: domain — closing the loophole.

Step-by-Step: Protecting Your Domain from Spoofing

  1. Publish an SPF record listing all legitimate sending sources with a -all (hard fail) or ~all (soft fail) at the end.
  2. Enable DKIM on all email sending services and platforms.
  3. Deploy DMARC starting with p=none to collect reports, then advance to p=reject to block spoofed emails entirely.
  4. Monitor DMARC reports regularly to identify unauthorized senders and legitimate sources that may need authentication fixes.
  5. Protect subdomains — Add sp=reject to your DMARC record and publish SPF/DKIM for any subdomains used for email. Orphaned subdomains are frequently abused.

Beyond Authentication: Additional Defenses

  • BIMI (Brand Indicators for Message Identification) — Displays your logo in the inbox of supporting mail clients, providing a visual trust signal to recipients.
  • Employee training — Teach staff to recognize spoofed emails even when they appear legitimate, since lookalike domains won't be caught by SPF/DKIM/DMARC.
  • Domain monitoring — Use services that alert you when lookalike domains are registered.
  • MTA-STS and DANE — Protocols that enforce encrypted transport of email, preventing man-in-the-middle interception.

What Happens When You Don't Protect Your Domain

Domains without DMARC enforcement are prime targets. Once attackers spoof your domain successfully, the consequences can include:

  • Loss of customer trust and brand reputation damage
  • Your domain being blacklisted, affecting legitimate email delivery
  • Legal and regulatory liability (especially in finance and healthcare sectors)
  • Financial losses from BEC attacks targeting your employees or clients

Implementing the full SPF + DKIM + DMARC stack is one of the most impactful and cost-effective security measures available to any organization that uses email.