Email Domain Spoofing: How to Stop It With SPF, DKIM & DMARC
One of the quietly dangerous things that can happen to a business today is having its email domain spoofed. Not hacked. Not breached. Spoofed.
Meaning: someone out on the internet starts sending emails as you, often pretending to be a delivery service, a bank, or some other trusted brand. They’re not inside your systems. They’re not using your mail server. They’re just borrowing your name because it increases the hit rate.
And if you’re a business owner, here’s the uncomfortable truth:
This can happen even if you’ve done everything “right.”
So here’s the playbook: simple, minimal, effective.
1. Verify Whether It’s Spoofing or an Actual Compromise
If your own mail logs don’t show the messages, it’s spoofing.
This is good news. It means your infrastructure isn’t the problem, your lack of authentication is.
2. Close the Open Doors (SPF, DKIM, DMARC)
Three records decide your fate here:
**SPF** – Who is allowed to send mail as you
**DKIM** – Cryptographic signatures proving the message is real
**DMARC** – The bouncer that decides what happens when something fakes your identity
If DMARC isn’t set to reject, you’ve essentially left your brand unlocked.
Most companies never move beyond “monitor.” That’s like installing a security camera but never locking the door.
3. Communicate With Your People
When an attack uses your identity, the target isn’t you, it’s your customers.
A short, honest message goes a long way:
“Our domain is being spoofed. If you received unexpected messages, they didn’t come from us.”
You’re not apologising; you’re protecting.
4. Report the Infrastructure Being Used Against You
Every spoofed email has headers that tell you where it came from.
Send those to the provider’s abuse teams. Most will rip down malicious servers quickly if you give them a clean report.
5. Monitor Your Domain Like an Asset
Your domain is part of your brand surface area.
DMARC reports, reputation tools, and simple intel feeds will tell you how often someone tries to wear your face.
The Takeaway?
Domain spoofing isn’t a sign you’ve been hacked.
It’s a sign you haven’t made it hard enough to impersonate you.
Most businesses can fix this in under an hour:
Enable DKIM
Tighten SPF
Set DMARC to reject
One hour of work can eliminate a category of risk that will otherwise follow your company for years.