Email spoofing means a criminal sends a message that appears to come from your domain, without ever touching your systems. It works because email was built without authentication: anyone can type your address into the From field. The fix is a DNS record called DMARC, set to actively block fakes.

How spoofing works, and what stops it

How spoofing works

A criminal puts your domain in the From field of an email. Unless your domain tells receiving servers to reject unauthenticated mail, it arrives looking exactly like you sent it.

Who gets targeted

Your clients get fake invoices and changed bank details. Your staff get CEO-fraud and payment requests. Your suppliers get impersonated messages. All in your name.

Why IT often misses it

SPF and DKIM are commonly set up, but DMARC, the record that actually enforces, is frequently missing or left at p=none, which does nothing to stop spoofing.

What actually stops it

A DMARC policy of p=reject tells receiving servers to bin any email that fails authentication. That is what closes the door on spoofing your real domain.

How to close the gap

Run the free check above to see whether your domain can be spoofed right now. If DMARC is missing or set to p=none, it can. The fix is a set of DNS changes: a correct SPF record, DKIM enabled, and DMARC moved to quarantine then reject. Your IT team can do it, and the check gives them the exact list.

Your quick checklist

  • SPF listing every legitimate sending service
  • DKIM enabled in your email platform
  • DMARC moved from p=none to quarantine, then reject
  • Lookalike-domain monitoring for close variants of your name
  • Staff trained to verify unusual payment requests by phone

Questions we get asked

We have SPF and DKIM. Are we safe?

Not necessarily. Without DMARC set to quarantine or reject, receiving servers are not told to block mail that fails those checks. Many spoofable domains have SPF and DKIM but no DMARC enforcement.

Does DMARC stop lookalike domains too?

No. DMARC protects your exact domain from being spoofed. A lookalike domain, one letter different, is a separate problem that needs monitoring and staff awareness. Do both.

Will setting DMARC to reject block our real emails?

Not if SPF and DKIM are set up correctly first. That is why you move in stages: p=none to monitor, then quarantine, then reject once you are confident all your legitimate senders pass.

Run the free check above to see whether your domain can be impersonated, and get the fix list for your IT team.