Research2026-03-2513 min read

Email Spoofing: How Attackers Forge Your Domain and How to Stop Them

Email spoofing exploits the lack of built-in authentication in SMTP. Without SPF, DKIM, and DMARC at enforcement level, anyone can send emails as your domain. Here is exactly how it works, with data, real-world cases, and the complete remediation playbook.

Email spoofing is the act of forging the sender address on an email so it appears to come from someone else, typically a trusted person or organization. Unlike spam, spoofed emails are crafted to exploit trust: they impersonate a CEO, a bank, a vendor, or a colleague. The recipient sees a familiar name and acts on it.

This is not a theoretical attack. Business Email Compromise (BEC) caused $2.9 billion in losses in 2023 according to the FBI IC3 report, making it the single most costly category of cybercrime by reported losses. The median wire transfer in a BEC attack was $50,000. And the underlying technique in the majority of cases is email spoofing.

$2.9BBEC losses in 2023 (FBI IC3)

91%of cyberattacks start with email

3.4Bspoofed emails sent daily

$50Kmedian BEC wire transfer

Sources: FBI IC3 Report 2023, Deloitte Cyber Threat Report 2024, Valimail Email Fraud Landscape 2024

How email spoofing works

Email was designed in 1982 (RFC 822) with no built-in authentication. The SMTP protocol lets any sender specify any address in the From: header. There is no verification at the protocol level. This is equivalent to writing any return address on a physical letter.

A spoofed email requires only a few lines of raw SMTP:

EHLO attacker.com
MAIL FROM:<ceo@yourcompany.com>
RCPT TO:<finance@yourcompany.com>
DATA
From: John Smith <ceo@yourcompany.com>
To: finance@yourcompany.com
Subject: Urgent wire transfer needed
Date: Mon, 25 Mar 2026 09:00:00 +0100

Please process a $47,000 transfer to the attached
account by end of day. I'm in meetings and can't talk.
.
QUIT

The MAIL FROM (envelope sender) and the From: header (display sender) can both be forged independently. Most email clients only show the From: header, making the forgery invisible to the recipient.

Attacker sends SMTPForged From: header with victim's domain

Receiving MTA acceptsNo SPF/DKIM/DMARC check, or policy is permissive

Email lands in inboxAppears to come from trusted sender

Recipient takes actionClicks link, transfers money, shares credentials

The five types of email spoofing

Type	Technique	Detection Difficulty	Common Use
Display name spoofing	Sets From: name to match target, different email address	Low	Mass phishing campaigns
Domain spoofing	Forges the exact domain in From: header	Medium	BEC, targeted impersonation
Reply-to spoofing	Sets Reply-To: to attacker address, visible From: is legitimate	Medium	Credential harvesting
Cousin domain spoofing	Registers similar domain (company-inc.com vs company.com)	High	Spear phishing, vendor fraud
Account compromise	Sends from a legitimately compromised mailbox	Very high	Internal fraud, supply chain attacks

Domain spoofing is the most dangerous because the email looks identical to a legitimate one. Without SPF, DKIM, and DMARC, there is no technical mechanism for the receiving server to distinguish it from a real email.

SPF: Sender Policy Framework

SPF (RFC 7208) lets a domain owner publish a DNS TXT record listing the IP addresses authorized to send email for that domain. When a receiving server gets an email claiming to be from yourcompany.com, it looks up the SPF record and checks whether the sending IP is authorized.

; SPF record for yourcompany.com
yourcompany.com. IN TXT "v=spf1 include:_spf.google.com include:amazonses.com ip4:203.0.113.10 -all"

; Breakdown:
; include:_spf.google.com  → Allow Google Workspace servers
; include:amazonses.com    → Allow Amazon SES (transactional email)
; ip4:203.0.113.10         → Allow this specific server
; -all                     → REJECT everything else (hard fail)

The critical detail is the -all vs ~all distinction. A hard fail (-all) tells receivers to reject unauthorized senders. A soft fail (~all) merely flags them, and most receivers still deliver to inbox. According to Valimail, 57% of domains still use ~all or no SPF at all.

SPF policy adoption across Fortune 500 (2024)

-all (hard fail, recommended)31%

~all (soft fail, weak)45%

?all (neutral, useless)8%

No SPF record16%

Source: Valimail Email Fraud Landscape Report 2024

SPF alone has a critical limitation: it only validates the envelope sender (MAIL FROM), not the header From: that users see. An attacker can pass SPF by using their own domain in the envelope while spoofing the visible From: header. This is why DKIM and DMARC are essential.

DKIM: DomainKeys Identified Mail

DKIM (RFC 6376) adds a cryptographic signature to every outgoing email. The sending server signs selected headers and the body with a private key. The public key is published in DNS. The receiving server verifies the signature, confirming two things: the email was authorized by the domain owner, and the content was not tampered with in transit.

; DKIM signature header (added by sending server)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourcompany.com; s=google;
  h=from:to:subject:date:message-id;
  bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
  b=AXNxP0QktZ...long base64 signature...

; DNS TXT record (public key)
google._domainkey.yourcompany.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgk..."

; Verification: receiving server fetches the public key from DNS
; and verifies the signature against the email content.

DKIM protects against content tampering and confirms domain authorization, but it does not tell the receiving server what to do when verification fails. That is where DMARC comes in.

DMARC: Domain-based Message Authentication

DMARC (RFC 7489) is the policy layer that ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication: nothing (p=none), quarantine it (p=quarantine), or reject it outright (p=reject). It also enables reporting so domain owners can see who is sending email using their domain.

; DMARC record for yourcompany.com
_dmarc.yourcompany.com. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc-rua@yourcompany.com; ruf=mailto:dmarc-ruf@yourcompany.com; pct=100"

; Breakdown:
; p=reject       → Reject emails that fail DMARC (production policy)
; sp=reject      → Same policy for subdomains
; adkim=s        → Strict DKIM alignment (d= must exactly match From:)
; aspf=s         → Strict SPF alignment (MAIL FROM must match From:)
; rua=mailto:... → Aggregate reports (daily XML summaries)
; ruf=mailto:... → Forensic reports (individual failure details)
; pct=100        → Apply policy to 100% of emails

The key concept is alignment. DMARC requires that either SPF or DKIM authenticates the domain in the visible From: header, not just the envelope sender. This closes the gap that SPF alone leaves open.

DMARC policy adoption globally (2024)

p=reject (full protection)17%

p=quarantine (partial)14%

p=none (monitoring only)28%

No DMARC record41%

Source: Valimail Q4 2024 Email Authentication Report

Only 17% of domains worldwide enforce DMARC with p=reject. This means 83% of domains are either partially protected or fully spoofable. The gap is even wider for SMBs, where DMARC adoption at enforcement level drops below 5%.

Deploying DMARC: the correct sequence

Deploying DMARC incorrectly can break legitimate email delivery. The standard approach is a phased rollout over 4 to 8 weeks:

Week 1-2: p=noneMonitor only. Collect RUA reports to identify all legitimate senders.

Week 3: Audit sendersAdd all legitimate services to SPF. Configure DKIM for each.

Week 4-5: p=quarantine pct=25Quarantine 25% of failing emails. Monitor for false positives.

Week 6: p=quarantine pct=100Full quarantine. Verify no legitimate email is being flagged.

Week 7-8: p=rejectFull enforcement. Spoofed emails are silently rejected.

Common mistakes during deployment: forgetting third-party senders (marketing platforms, CRMs, ticketing systems), not configuring DKIM for SaaS tools that send on your behalf, and jumping straight to p=reject without a monitoring period.

Beyond DMARC: BIMI and MTA-STS

BIMI (Brand Indicators for Message Identification) lets organizations display their verified logo next to authenticated emails in supporting clients (Gmail, Apple Mail, Yahoo). It requires DMARC at p=quarantine or p=reject and a Verified Mark Certificate (VMC) from a certificate authority. BIMI makes spoofing visually obvious to recipients because only authenticated emails display the brand logo.

MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) forces SMTP connections between mail servers to use TLS encryption. Without MTA-STS, an attacker performing a man-in-the-middle attack on the SMTP connection can downgrade it to plaintext and read or modify emails in transit. MTA-STS eliminates this by publishing a policy that requires TLS with valid certificates.

; MTA-STS policy (hosted at https://mta-sts.yourcompany.com/.well-known/mta-sts.txt)
version: STSv1
mode: enforce
mx: mx1.yourcompany.com
mx: mx2.yourcompany.com
max_age: 604800

; DNS record to advertise MTA-STS
_mta-sts.yourcompany.com. IN TXT "v=STSv1; id=20260325"

Real-world spoofing attacks

BECToyota Boshoku, 2019

Attackers spoofed emails from a Toyota executive to the European subsidiary's finance department, convincing them to transfer $37 million to a fraudulent account. The emails passed basic checks because the subsidiary had no DMARC enforcement. The money was never recovered.

Source: Nikkei Asia, Reuters September 2019

PHISHINGSolarWinds supply chain, 2020

The initial access vector in the SolarWinds attack used spear-phishing emails that spoofed internal Microsoft and SolarWinds domains. The attackers used cousin domains and compromised email accounts to distribute malicious updates to 18,000 organizations including U.S. government agencies.

Source: CISA Advisory AA20-352A, Microsoft MSTIC Report

VENDOR FRAUDUbiquiti Networks, 2015

Attackers impersonated an employee of a Ubiquiti subsidiary and requested fraudulent transfers totaling $46.7 million from the company's Hong Kong subsidiary. The spoofed emails mimicked internal communication patterns. Ubiquiti recovered $15 million. The remaining $31.7 million was lost.

Source: Ubiquiti SEC filing 10-Q, Krebs on Security

How to test your domain's spoofing resistance

Testing your email authentication setup is straightforward. Here are the exact commands to audit your domain:

# Check SPF record
dig TXT yourcompany.com | grep "v=spf1"

# Check DKIM (replace 'google' with your selector)
dig TXT google._domainkey.yourcompany.com

# Check DMARC record
dig TXT _dmarc.yourcompany.com

# Check MTA-STS
dig TXT _mta-sts.yourcompany.com
curl https://mta-sts.yourcompany.com/.well-known/mta-sts.txt

# Test actual email authentication (send a test email to)
# check-auth@verifier.port25.com (free, returns full auth results)
# or use: https://www.learndmarc.com (visual DMARC tester)

A complete email security audit should verify: SPF record exists with -all, DKIM is configured for all sending services, DMARC is at p=reject with reporting enabled, no orphan include: directives in SPF pointing to decommissioned services, and all subdomains are covered by sp=reject.

Complete anti-spoofing checklist

Priority	Action	DNS Record	Impact
P0	Publish SPF with -all	TXT on root domain	Blocks direct domain spoofing via SMTP
P0	Configure DKIM for all senders	TXT on selector._domainkey	Cryptographic proof of authenticity
P0	Deploy DMARC at p=reject	TXT on _dmarc subdomain	Policy enforcement on failed auth
P1	Enable DMARC reporting (rua/ruf)	Included in DMARC record	Visibility into abuse and misconfig
P1	Cover subdomains with sp=reject	Included in DMARC record	Prevents sub.company.com spoofing
P2	Deploy MTA-STS	TXT + HTTPS policy file	Forces TLS between mail servers
P2	Implement BIMI	TXT + VMC certificate	Brand verification in inbox
P3	Monitor DMARC reports weekly	N/A (operational)	Catch new unauthorized senders
P3	Audit SPF includes quarterly	N/A (operational)	Remove stale/unused includes

Is your domain spoofable?

Recon0x checks SPF, DKIM, and DMARC configuration as part of every scan. Get your free security assessment in 60 seconds.

Scan your domain free