What Is Email Spoofing and How to Prevent It

Someone Is Sending Emails "From" You

You get an alarmed message from a colleague: "Did you just email me asking for a wire transfer?" You did not. But when they show you the email, it has your name, your email address, and even your company signature. Welcome to the world of email spoofing.

Email spoofing is one of the oldest and most effective tricks in a cybercriminal's toolkit. It is also one of the most misunderstood. Many people assume that if an email shows a familiar address in the From field, it must genuinely come from that person. That assumption is exactly what attackers count on.

This guide explains what email spoofing is, why the email system makes it so easy, how to tell if an email has been spoofed, and — most importantly — how to lock down your own domain so nobody can impersonate you.

What Is Email Spoofing, Exactly?

Email spoofing is the act of forging the From address in an email so that it appears to come from someone other than the actual sender. The recipient sees a trusted name or domain in their inbox, but the message was sent by a completely different server.

Think of it like writing a fake return address on a paper envelope. The postal service does not verify that the return address is real — it just delivers the letter. Email works in a remarkably similar way.

Why Is Spoofing Even Possible?

The Simple Mail Transfer Protocol (SMTP), the backbone of email since 1982, was designed in an era when the internet was a small network of universities and research labs. Everyone knew everyone. Trust was the default.

SMTP has no built-in mechanism to verify the identity of the sender. When a mail server connects to another mail server, it announces a From address, and the receiving server simply accepts it at face value. There is no password, no certificate check, no identity verification in the base protocol.

This design flaw has persisted for over four decades. Modern authentication layers like SPF, DKIM, and DMARC were added on top of SMTP to address the problem, but they are optional. If a domain owner has not set them up, their domain is wide open for spoofing.

How Attackers Spoof Emails

There are several techniques, ranging from trivial to sophisticated:

1. Direct From Address Forgery

The simplest method. An attacker connects to an SMTP server (or uses a script) and sets any address they want in the MAIL FROM and From header fields. If the target domain has no SPF or DMARC records, many receiving servers will accept and deliver the message without question.

2. Display Name Spoofing

Instead of forging the actual email address, the attacker sets the display name to something like "John Smith - CEO" while using a completely different email address. On mobile devices especially, many email apps show only the display name, hiding the actual address. A quick glance at "John Smith - CEO" is enough to fool most people.

3. Lookalike Domains

The attacker registers a domain that looks almost identical to the real one: yourcompany.co instead of yourcompany.com, or yourcomp4ny.com with a number replacing a letter. These are called cousin domains or homograph attacks. Because the attacker actually owns the domain, the email passes SPF and DKIM checks.

4. Reply-To Manipulation

The From address shows a legitimate address, but the Reply-To header points to the attacker's address. If the victim hits Reply, their response goes straight to the criminal.

What Spoofed Emails Look Like

Spoofed emails are designed to look normal. Common impersonations include:

• Your bank asking you to verify your account
• Your CEO requesting an urgent wire transfer
• A shipping company with a package tracking link
• A colleague sharing a "document" that requires you to log in
• IT support asking you to reset your password

The key feature of a spoofed email is that the From address looks legitimate. The content might be perfectly written or riddled with errors — spoofing is about the identity, not the quality of the message.

Spoofing vs. Phishing: What Is the Difference?

These terms are often used interchangeably, but they refer to different things:

• Spoofing is a technique — forging the sender identity.
• Phishing is a goal — tricking someone into revealing credentials, sending money, or installing malware.

Spoofing is one of the tools used in phishing attacks, but not the only one. A phishing email might come from a legitimate-looking but unrelated address without any spoofing at all. And spoofing can be used for purposes other than phishing, such as reputation damage or spreading misinformation.

How to Check If an Email Is Spoofed

If you suspect an email is not from who it claims to be, here is what to do:

Check the Full Email Headers

Every email contains hidden headers that show its actual path from sender to recipient. In most email clients, you can view these under "Show original," "View source," or "Message headers."

Look for these fields:

• Return-Path — The actual envelope sender. If this does not match the From address, that is a red flag.
• Received — The chain of servers the email passed through. The bottom-most Received header shows where the email originated.
• Authentication-Results — This shows whether the email passed SPF, DKIM, and DMARC checks.

Look for Authentication Failures

In the Authentication-Results header, you want to see:

spf=pass
dkim=pass
dmarc=pass

If you see spf=fail, dkim=fail, or dmarc=fail, the email likely did not come from the claimed sender. Some email clients show a warning banner for authentication failures, but many do not.

Verify Independently

If an email from your "bank" or "boss" asks you to do something sensitive, contact that person or organization through a separate channel. Call them. Visit the website directly by typing the URL rather than clicking links in the email.

How to Prevent Your Domain from Being Spoofed

If you own a domain, you have a responsibility to protect it from being used in spoofing attacks. The three pillars of email authentication are SPF, DKIM, and DMARC. Together, they tell receiving servers how to verify emails claiming to come from your domain.

Step 1: Set Up SPF

Sender Policy Framework (SPF) is a DNS record that lists which servers are allowed to send email for your domain. It is a TXT record on your domain that looks like this:

v=spf1 include:_spf.google.com -all

The -all at the end is critical. It tells receiving servers to reject any email from a server not on the list. Many domain owners use ~all (soft fail) instead, which is weaker because it flags but does not reject unauthorized senders.

Step 2: Set Up DKIM

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key published in your DNS. If the signature is valid, the email has not been tampered with and genuinely came from an authorized server.

DKIM is typically configured through your email provider or mail server. The provider generates a key pair and gives you a DNS record to publish.

Step 3: Set Up DMARC with p=reject

Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together and tells receiving servers what to do when authentication fails. A strong DMARC policy looks like this:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

The p=reject policy instructs receiving servers to reject any email that fails both SPF and DKIM alignment. This is the strongest setting. Start with p=none to monitor (using the reports sent to rua), then move to p=quarantine, and finally p=reject once you are confident all legitimate email is properly authenticated.

For a detailed walkthrough of all three protocols, see our complete guide to email authentication.

How to Protect Yourself as a Recipient

Even with the best personal habits, you cannot control whether every sender has configured SPF, DKIM, and DMARC. That is where your email provider's filtering matters.

A good email filter checks authentication results on every incoming message and uses those results to decide what reaches your inbox. Cleanbox, for example, runs SPF, DKIM, and DMARC verification through Rspamd on every incoming email before it reaches your mailbox. Emails that fail these checks are scored higher for spam. On top of authentication checks, the AI classifier analyzes message content and can detect brand impersonation attempts even when the sender domain technically passes authentication — catching those lookalike domain attacks that basic checks miss.

Beyond filtering, develop these habits:

• Never click links in unexpected emails, even from known contacts
• Hover over links to check the actual URL before clicking
• Be especially suspicious of urgency ("act now," "account suspended")
• Verify sensitive requests through a different communication channel
• Keep your email client updated — newer versions show better authentication warnings

What About Domains That Do Not Send Email?

If you own a domain that should never send email (a parked domain, a redirect domain, a brand protection domain), you should still publish authentication records. In fact, it is even simpler:

SPF:   v=spf1 -all
DMARC: v=DMARC1; p=reject;

This tells every receiving server: "No server is authorized to send email from this domain. Reject everything." Without these records, attackers can freely use your unused domain for spoofing.

The Bottom Line

Email spoofing exists because SMTP was built on trust, and trust does not scale to a global network of billions of users. The good news is that the tools to fight it are mature and free to implement. SPF, DKIM, and DMARC together form a strong defense for your domain. As a recipient, use an email provider that checks authentication results and applies intelligent filtering.

The single most impactful thing you can do today: check your domain's DMARC record. If you do not have one, or if it is set to p=none, you are leaving the door open. Move to p=reject and close it.