What is email spoofing?
Spoofing is not hacking. Nobody breaks into anything: the attacker simply writes your domain into the From line of mail they send from their own servers, because email lets them.
Definition
Email spoofing is sending a message whose From address claims a sender it did not come from, most often somebody else's domain. It works because SMTP, designed in a more trusting era, does not verify the From line: any server can transmit a message claiming to be finance@yourcompany.com. Without authentication policies, receivers have no way to know better.
Spoofing is not a compromised account
The two get conflated, and the difference decides your response:
- Spoofing: the attacker never touched your systems. Nothing of yours is breached; your domain's name is being borrowed on infrastructure you have never seen. The fix is policy: publish authentication and tell receivers to enforce it.
- Account compromise: the attacker sends real mail from your real account, which passes SPF, DKIM, and DMARC honestly. The fix is credentials: reset, revoke sessions, audit. No DMARC policy stops it, because the mail genuinely is yours.
What actually stops spoofing
The authentication stack, working together: SPF names the servers allowed to send for your domain, DKIM cryptographically signs your real mail, and a DMARC record at an enforcement policy tells receivers to spam-folder or refuse mail that fails both with your name on it. At p=none you can watch spoofing happen in your aggregate reports; at p=reject receivers block it before anyone sees it. Domains that send no mail at all still need this, published in its strictest form, because an unprotected parked domain is the cheapest thing on the internet to impersonate.
What DMARC cannot stop
Lookalike attacks survive: a registered yourcompany-billing.com, a homoglyph domain, or a trusted display name over a random mailbox all pass authentication for the domain they really use. Spoofing defense protects your exact domain; impersonation beyond it is fought with monitoring, takedowns, and reader skepticism.
Keep reading
What is the Header From address?
The unverified From line spoofing exploits.
What is DMARC?
The policy layer that lets receivers refuse mail forging your domain.
Protecting parked domains
Domains that send no mail at all are the easiest spoofing targets.
Check your exposure
See whether your domain currently tells receivers to block forged mail.
Last verified 2026-07-10.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.