Domainee
Sign inGet started

Email spoofing

Forging the From: address on email to impersonate a domain. The exact attack DMARC was designed to stop, when DMARC is actually enforced.

Email spoofing is the act of forging the From: header in an email so it appears to come from a domain the sender doesn't actually control. The attacker wants the recipient to read "support@yourbrand.com" and trust the message.

SMTP has no native protection against this. The From: header is just a string set by the sender. The receiving server has no automatic way to validate it without SPF, DKIM, and DMARC working together.

The mechanics

The simplest spoofing:

HELO attacker.com
MAIL FROM:<anything@attacker.com>
RCPT TO:<victim@gmail.com>
DATA
From: support@yourbrand.com
Subject: Reset your password
...

The envelope sender (MAIL FROM:) is attacker.com, which the attacker controls. The visible From: header is yourbrand.com, which they don't. SPF checks MAIL FROM: (passes for attacker.com). DKIM, if signed, signs as attacker.com. The user sees yourbrand.com. SPF and DKIM each technically pass for the wrong domain.

DMARC is what catches this: it requires that the SPF or DKIM passing domain match the From: header domain (alignment). Without alignment, DMARC fails, and a p=reject policy makes the recipient mailbox drop the message.

Why this still works

  • Lots of domains have p=none DMARC (logging only, no enforcement). Spoofed mail still lands in the inbox.
  • Lots of domains have no DMARC at all. Spoofed mail lands.
  • Lots of intermediaries (older mail clients, some webmail) display the friendly name (Support) prominently and the email address less so. Attackers exploit this by setting From: Support <support@evil.com>. The user reads "Support."
  • Mobile mail clients usually hide the full From: address. The user sees just the name.

Other related attacks

  • Cousin domains / look-alikes. yourbrand-secure.com, your-brand.com, yourbrаnd.com (Cyrillic а). Not technically spoofing of your domain; spoofing of you-as-a-brand via a similar domain. DMARC doesn't help; defense is monitoring + UDRP + typosquatting registrations.
  • Display name spoofing. Attacker sends from their own legit domain but puts your brand name in the friendly From: ("Bank of America noreply@evil.com"). Hard to defend technically.
  • Reply-To trickery. Mail looks like it's from your domain (and might even pass DMARC if compromised), but Reply-To: points at the attacker. Replies go to the attacker.

Defense checklist

For your own domain:

  1. Publish SPF, DKIM, DMARC. Get DMARC to p=reject.
  2. Monitor DMARC aggregate reports for spoofing volume.
  3. Register _dmarc for every subdomain you don't use for mail; set those to p=reject so attackers can't spoof mail.unused.yourdomain.com.

For your inbox (protecting your users):

  1. Use a mail provider that honors DMARC (Gmail, Microsoft 365, Fastmail). All major providers do.
  2. Enforce TLS-only delivery via MTA-STS where possible.
  3. Train users that brand names in display names don't prove identity. Look at the full address.

In a SaaS

If you let customers send mail through your platform from their own domain:

  • Make DKIM with a customer-specific selector mandatory. Hand-walk customers through the DNS setup.
  • Refuse to send unless DMARC alignment is achievable (their From: domain must have either SPF or DKIM aligned with your sending infrastructure).
  • Surface the customer's DMARC posture in your dashboard. If they're at p=none, encourage p=reject.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.