DMARCbis-ready · The 2026 standard

What is email spoofing?

Spoofing is not hacking. Nobody breaks into anything: the attacker simply writes your domain into the From line of mail they send from their own servers, because email lets them.

Definition

Email spoofing is sending a message whose From address claims a sender it did not come from, most often somebody else's domain. It works because SMTP, designed in a more trusting era, does not verify the From line: any server can transmit a message claiming to be finance@yourcompany.com. Without authentication policies, receivers have no way to know better.

Spoofing is not a compromised account

The two get conflated, and the difference decides your response:

  • Spoofing: the attacker never touched your systems. Nothing of yours is breached; your domain's name is being borrowed on infrastructure you have never seen. The fix is policy: publish authentication and tell receivers to enforce it.
  • Account compromise: the attacker sends real mail from your real account, which passes SPF, DKIM, and DMARC honestly. The fix is credentials: reset, revoke sessions, audit. No DMARC policy stops it, because the mail genuinely is yours.

What actually stops spoofing

The authentication stack, working together: SPF names the servers allowed to send for your domain, DKIM cryptographically signs your real mail, and a DMARC record at an enforcement policy tells receivers to spam-folder or refuse mail that fails both with your name on it. At p=none you can watch spoofing happen in your aggregate reports; at p=reject receivers block it before anyone sees it. Domains that send no mail at all still need this, published in its strictest form, because an unprotected parked domain is the cheapest thing on the internet to impersonate.

What DMARC cannot stop

Lookalike attacks survive: a registered yourcompany-billing.com, a homoglyph domain, or a trusted display name over a random mailbox all pass authentication for the domain they really use. Spoofing defense protects your exact domain; impersonation beyond it is fought with monitoring, takedowns, and reader skepticism.

Keep reading

Last verified 2026-07-10.

Stop guessing. Start monitoring.

Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.