Email spoofing is a technique where attackers forge the sender address of an email to make it appear to come from a trusted source — a bank, a government agency, a colleague, or a known brand. The primary defense against email spoofing is a combination of three email authentication protocols: SPF, DKIM, and DMARC. Without these records configured on your domain, any attacker can send email appearing to come from your organization.
What Is Email Spoofing?
Email spoofing exploits weaknesses in SMTP (Simple Mail Transfer Protocol) — the protocol that governs email delivery — which was designed for function, not security. SMTP does not verify whether the sender address is genuine, making it trivially easy to forge.
Spoofed emails are a primary delivery mechanism for phishing attacks, CEO fraud (BEC), and AI-generated phishing campaigns. A spoofed email impersonating your CEO or your bank is extremely difficult to identify by visual inspection alone.
4 Types of Email Spoofing Attacks
1. Display Name Spoofing
Mobile email clients often show only the sender’s display name, not the full email address. Attackers register a fake address (e.g., hacker123@frauddomain.com) but set the display name to “HDFC Bank” or “CEO Name.” The recipient sees only the familiar name on their phone screen.
2. Look-Alike Domain Attacks
Attackers register domains resembling legitimate ones — changing a single character (paypa1.com instead of paypal.com), using visually identical Cyrillic characters, or adding hyphens. A recipient seeing “paypal@paypa1.com” may not spot the difference between “l” and “1” without close inspection.
3. Domain Spoofing via Unencrypted Websites
Sites using “http://” rather than “https://” allow attackers to intercept connections and redirect users to malicious clones. Attackers substitute the real domain with a fraudulent one mid-session to host credential-stealing forms.
4. Legitimate Domain Spoofing
The most dangerous form: attackers send emails using the actual domain of the impersonated organization. Organizations without DMARC allow any sender to use their domain. Attackers exploit public cloud infrastructure and third-party email services that do not verify domain ownership to execute this form of spoofing at scale.
How to Protect Against Email Spoofing: SPF, DKIM, and DMARC
1. SPF (Sender Policy Framework)
SPF is a DNS record that specifies which mail servers are authorized to send email from your domain. When a receiving server gets an email claiming to be from your domain, it checks the SPF record to verify the sending server is authorized. Unauthorized servers can be rejected.
Limitation: SPF alone cannot stop display name spoofing. It must be combined with DMARC for complete protection.
2. DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic digital signature to outgoing emails using a private key held by your mail server. Recipients verify the signature using a public key published in your DNS records. If an email has been tampered with in transit, the DKIM check fails — protecting against both spoofing and man-in-the-middle modification.
A properly DKIM-signed email shows “Signed-by: yourdomain.com” in Gmail headers. The absence of this signature is a warning sign for recipients.
3. DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM by telling receiving mail servers what to do when an email fails authentication. The domain owner publishes a DMARC policy in DNS:
- None: Monitor mode — collect failure reports but take no action (entry-level)
- Quarantine: Move failed emails to the spam/junk folder
- Reject: Block delivery of failed emails entirely
DMARC also generates aggregate reports showing who is sending email using your domain — including attackers — giving visibility into spoofing activity against your brand.
What Happens Without SPF, DKIM, and DMARC?
Without these records, any attacker can send emails appearing to come from your domain — impersonating your business to customers, partners, and employees. Your brand becomes a spoofing tool for criminals. Customers receiving fraudulent emails from your domain lose trust in your organization even though you are the victim.
Additional Protection Measures
- Deploy a gateway email content filter to intercept spoofed inbound emails before they reach user inboxes
- Train employees to check full email addresses — not just display names. See our email security best practices guide
- Enable two-factor authentication on all email accounts
- Secure all websites with HTTPS to prevent domain manipulation attacks
- See our guide on email as evidence in Indian courts for legal proceedings involving spoofed emails
- For investigation of a spoofed email forensics case, contact a specialist
For technical implementation of SPF, DKIM, and DMARC on your domain, or for investigation of an email spoofing incident, contact Anuraag Singh — India’s leading email forensics expert.
