Book a free consultation
Layer 6 · Threat & Impersonation

Email spoofing: how to stop it

Email spoofing is when an attacker sends mail that appears to come from your domain without your authorisation. It harms your recipients, damages your domain's reputation, and your customers blame you — even though you didn't send it. The good news: it is entirely preventable with proper authentication.

How spoofing works

Because email was designed without sender verification, the "From" address in a message is just a field anyone can fill in with any value they choose. Without authentication, a spammer can send a message that says it comes from ceo@yourcompany.com even though it was sent from a server they control in a completely different country.

Receiving mail servers, by default, will simply deliver this message unless they have been instructed to check for authentication and act on failures.

How to tell if your domain is being spoofed

Signs that someone is spoofing your domain:

  • Customers or recipients report getting email from your address that you did not send
  • You receive bounce messages (delivery failures) for emails you never sent — these are "backscatter" bounces being returned to your domain as the forged sender
  • Your DMARC aggregate reports show mail from IPs you don't recognise
  • Google Postmaster Tools shows a spike in your spam rate that does not correlate with any campaign you ran
Backscatter is a signal: If you are receiving bounce messages for email you did not send, your domain is almost certainly being used in a spoofing campaign. The spammers are using your domain as the forged return address.

The authentication stack that stops spoofing

Step 1: SPF

SPF publishes the list of servers authorised to send as your domain. Any server not on the list fails the SPF check. This tells receivers that the message did not come from an authorised source — but by itself, SPF does not tell receivers to reject it.

Step 2: DKIM

DKIM signs outgoing messages cryptographically. A spoofed message from an attacker's server cannot produce a valid DKIM signature for your domain, because the attacker does not have your private key.

Step 3: DMARC at p=reject

DMARC is what actually stops the spoofed mail from reaching recipients. With p=reject, any mail claiming to come from your domain that fails SPF/DKIM alignment is rejected at the receiving server — it never reaches the inbox.

Without DMARC enforcement, SPF and DKIM are valuable signals but they do not stop spoofed mail from being delivered. A receiver sees the authentication failure and might filter it — or might not. DMARC at reject removes the ambiguity.

Deploying anti-spoofing authentication safely

The path to p=reject requires care — rushing it can block your own legitimate mail. Follow this sequence:

  1. Audit every system that sends email as your domain (ESP, CRM, transactional, marketing, support, etc.)
  2. Add all of them to your SPF record and configure DKIM signing on each
  3. Add DMARC at p=none with a reporting address
  4. Read reports for 4–6 weeks to find any sources you missed
  5. Move to p=quarantine, then p=reject once your reports show 100% pass rate
Once at p=reject: Any spoofed mail claiming to be from your domain is rejected before it reaches any recipient. Your domain cannot be used to defraud your customers via direct spoofing.

What rejection doesn't cover

DMARC at p=reject stops exact-domain spoofing. It does not protect against attackers registering domains that look like yours — yourcompany-support.com or y0urcompany.com — and sending from those. These are called lookalike or cousin domains and require separate monitoring. See the brand impersonation guide for how to address these.

Free 30-minute consultation

Still stuck? Talk to a specialist.

If the guides aren't enough, book a free 30-minute call. We'll look at your setup, name the layer that's failing, and give you the fix order. No pitch, no obligation.

Book a free consultation