Email spoofing is when an attacker sends mail that appears to come from your domain without your authorisation. It harms your recipients, damages your domain's reputation, and your customers blame you — even though you didn't send it. The good news: it is entirely preventable with proper authentication.
Because email was designed without sender verification, the "From" address in a message is just a field anyone can fill in with any value they choose. Without authentication, a spammer can send a message that says it comes from ceo@yourcompany.com even though it was sent from a server they control in a completely different country.
Receiving mail servers, by default, will simply deliver this message unless they have been instructed to check for authentication and act on failures.
Signs that someone is spoofing your domain:
SPF publishes the list of servers authorised to send as your domain. Any server not on the list fails the SPF check. This tells receivers that the message did not come from an authorised source — but by itself, SPF does not tell receivers to reject it.
DKIM signs outgoing messages cryptographically. A spoofed message from an attacker's server cannot produce a valid DKIM signature for your domain, because the attacker does not have your private key.
DMARC is what actually stops the spoofed mail from reaching recipients. With p=reject, any mail claiming to come from your domain that fails SPF/DKIM alignment is rejected at the receiving server — it never reaches the inbox.
Without DMARC enforcement, SPF and DKIM are valuable signals but they do not stop spoofed mail from being delivered. A receiver sees the authentication failure and might filter it — or might not. DMARC at reject removes the ambiguity.
The path to p=reject requires care — rushing it can block your own legitimate mail. Follow this sequence:
DMARC at p=reject stops exact-domain spoofing. It does not protect against attackers registering domains that look like yours — yourcompany-support.com or y0urcompany.com — and sending from those. These are called lookalike or cousin domains and require separate monitoring. See the brand impersonation guide for how to address these.
If the guides aren't enough, book a free 30-minute call. We'll look at your setup, name the layer that's failing, and give you the fix order. No pitch, no obligation.