Email spoofing means a criminal sends a message that appears to come from your domain, without ever touching your systems. It works because email was built without authentication: anyone can type your address into the From field. The fix is a DNS record called DMARC, set to actively block fakes.
A criminal puts your domain in the From field of an email. Unless your domain tells receiving servers to reject unauthenticated mail, it arrives looking exactly like you sent it.
Your clients get fake invoices and changed bank details. Your staff get CEO-fraud and payment requests. Your suppliers get impersonated messages. All in your name.
SPF and DKIM are commonly set up, but DMARC, the record that actually enforces, is frequently missing or left at p=none, which does nothing to stop spoofing.
A DMARC policy of p=reject tells receiving servers to bin any email that fails authentication. That is what closes the door on spoofing your real domain.
Run the free check above to see whether your domain can be spoofed right now. If DMARC is missing or set to p=none, it can. The fix is a set of DNS changes: a correct SPF record, DKIM enabled, and DMARC moved to quarantine then reject. Your IT team can do it, and the check gives them the exact list.
Not necessarily. Without DMARC set to quarantine or reject, receiving servers are not told to block mail that fails those checks. Many spoofable domains have SPF and DKIM but no DMARC enforcement.
No. DMARC protects your exact domain from being spoofed. A lookalike domain, one letter different, is a separate problem that needs monitoring and staff awareness. Do both.
Not if SPF and DKIM are set up correctly first. That is why you move in stages: p=none to monitor, then quarantine, then reject once you are confident all your legitimate senders pass.
Run the free check above to see whether your domain can be impersonated, and get the fix list for your IT team.