← Back to Learn Hub

What Is Email Spoofing? How to Protect Your Business

Email spoofing is the forging of a sender address. An attacker sends an email that displays your domain in the From field, so the message appears to come from your business, even though it was sent from a server you have no connection to. No account is compromised and no password is stolen.

Spoofing is possible because the underlying email protocol does not verify sender addresses. Protection depends on DNS records that each domain owner has to publish. This guide explains how spoofing works, what it is used for, and how to prevent it on your domain.

Why Email Spoofing Is Possible

Email is delivered over SMTP, a protocol designed in the early 1980s for a small network of trusted institutions. SMTP does not check that the address in the From field belongs to the sender. Whatever address the sending system supplies is what the recipient sees.

Verification was added later through three optional DNS records: SPF, DKIM, and DMARC. They let receiving servers confirm that a message genuinely came from the domain it claims. Because the records only exist if the domain owner publishes them, a domain without them gives receiving servers nothing to check against, and forged messages are routinely delivered.

What Spoofed Emails Are Used For

Spoofing is the delivery mechanism for several common types of fraud, because a message that appears to come from a known domain inherits the trust attached to it.

  • Invoice fraud — a client or supplier receives a payment request from your address with altered bank details. This is a core technique in business email compromise, which caused $2.8 billion in reported losses in 2024 according to the FBI
  • Internal phishing — staff receive an email that appears to come from a director or manager, requesting a payment, a gift card purchase, or login credentials
  • Customer phishing — renewal notices, password resets, or offers sent in your name to collect payment details from your customers
  • Malware delivery — attachments are more likely to be opened when the sender appears to be a known business

Spoofing vs. Lookalike Domains

Two related attacks are often confused, and they have different defences.

Exact-domain spoofing uses your real domain in the From address. SPF, DKIM, and DMARC are designed to stop it: at full enforcement, receiving servers block messages that fail authentication.

A lookalike domain is a separate domain registered by the attacker — your name with a swapped letter, an added word, or a different ending. Authentication on your domain has no effect on it, because the attacker owns the lookalike and can authenticate it normally. The defences against lookalikes are staff training, monitoring for new registrations, and registering common variants yourself.

Exact-domain spoofing is the more serious of the two, because the displayed address is genuinely yours and there is nothing in the message for a recipient to spot.

How to Check Whether Your Domain Can Be Spoofed

Whether your domain can be spoofed is determined by your published DNS records, which are public and can be checked in seconds.

The scanner on this page reads your SPF, DKIM, and DMARC records and reports your protection level. The key result is the DMARC policy. If there is no DMARC record, or the policy is set to p=none, receiving servers have no instruction to reject forged messages, and your domain can currently be spoofed.

How SPF, DKIM, and DMARC Prevent Email Spoofing

The three records each verify a different part of the message.

SPF confirms the message was sent from a server authorised for the domain. DKIM confirms the message was signed by the domain and not altered in transit. DMARC checks that the verified domain matches the one shown in the From field, and tells the receiving server what to do when the checks fail.

The policy in the DMARC record sets the outcome. At p=none, failing messages are still delivered. At p=quarantine, they are sent to spam. At p=reject, they are blocked entirely. Reject is the level at which spoofing your domain stops working, and reaching it safely requires confirming that all your legitimate sending services pass authentication first.

The Cost of Spoofing When No Fraud Succeeds

Spoofing causes damage even when every recipient recognises the forgery.

  • Recipients lose confidence in email from your domain and begin verifying routine messages by phone
  • Circulating forgeries damage your domain's reputation with spam filters, which reduces the deliverability of your legitimate email
  • Staff time is spent fielding queries, issuing warnings, and handling the aftermath
  • If client money or data is lost, questions of liability can arise over whether standard protections were in place

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

What is email spoofing in simple terms?

Email spoofing is sending a message with a forged From address so it appears to come from someone else — usually a trusted company. The attacker never needs access to the real account. Standard email does not verify the sender, so without protective DNS records, the forgery is delivered.

Is email spoofing the same as my account being hacked?

No. A hacked account means an attacker controls your real mailbox. Spoofing requires no access at all — the attacker fakes your address from their own systems. Changing your password therefore does nothing to stop spoofing. The fix is publishing SPF, DKIM, and DMARC for your domain.

Can I find out if my domain is being spoofed right now?

Yes. DMARC reports list every server sending email that claims to come from your domain, including ones you do not recognise. Many businesses publish a DMARC record in monitoring mode and discover forged email within days. A scan of your domain shows whether you have that visibility today.

Will DMARC stop emails from lookalike domains?

No. DMARC protects the exact domain it is published on, so it blocks forgeries of your real address. A lookalike domain is a separate registration the attacker owns and can authenticate normally. Defending against lookalikes relies on staff awareness, monitoring, and in some cases registering obvious variants yourself.

Email spoofing exploits the fact that email does not verify sender addresses on its own. Until SPF, DKIM, and DMARC are published and enforced for your domain, forged messages carrying your address can reach your clients, suppliers, and staff.

Enter your domain above to check whether it can be spoofed today.

If it can, readyDMARC closes the gap — we configure the records, verify your legitimate senders, and take your domain to full enforcement. See our managed email security services to get started.

Related Articles

What Is DMARC? How It Protects Your Email

Learn what DMARC is, how it stops email spoofing and phishing, and why every domain needs a DMARC po...

Read more →

What Is SPF? How Sender Policy Framework Works

Learn what SPF is, how Sender Policy Framework stops email spoofing, protects your domain, and impro...

Read more →

What Is DKIM? How Email Signing Works

Learn what DKIM is, how DomainKeys Identified Mail protects your business emails from tampering, and...

Read more →

Need help setting this up?

We handle email security end to end. No technical knowledge required on your part.

Book a Call