How to Prevent Email Spoofing of Your Domain

Email spoofing is when someone sends an email that appears to come from your domain but didn't. It's trivially easy to do — the SMTP protocol doesn't verify the sender's identity. Without proper protections, anyone in the world can send emails that look exactly like they came from your business.

The consequences can be severe: phishing attacks targeting your customers, fraudulent payment requests to your suppliers, damaged brand reputation, and potential legal liability.

How Email Spoofing Works

Email spoofing exploits a fundamental weakness in the SMTP protocol. The "From" address in an email is just a text field — like writing any return address on an envelope. There's no built-in verification that the sender actually owns or controls that domain.

An attacker can set up a simple script in minutes that sends emails appearing to come from your domain. If your domain has no email authentication records, receiving servers have no way to tell the difference between a genuine email from you and a spoofed one.

Why It Matters

Phishing attacks on your customers

An attacker spoofs your domain to send phishing emails to your customers. The email looks like it's from you — same domain, same branding, professional tone. It might contain a link to a fake login page, a request to update payment details, or a fraudulent invoice. Your customers trust the email because it appears to come from your legitimate domain.

Brand damage

Even if the spoofed emails are caught by spam filters, your domain's sender reputation takes a hit. The more spoofing occurs, the more likely your own legitimate emails will be filtered as spam. It creates a cycle that's hard to recover from.

Legal liability

Under GDPR, you have a responsibility to implement "appropriate technical measures" to protect personal data. If your domain is spoofed and it leads to a data breach affecting your customers, you may face regulatory scrutiny from the ICO. The NCSC recommends implementing SPF, DKIM, and DMARC as basic email security measures.

Step 1: Set Up SPF

Create an SPF record that lists all the mail servers authorised to send emails from your domain. This is a TXT record in your DNS.

First, make a complete list of every service that sends emails on behalf of your domain:

• Your primary email provider (Google Workspace, Microsoft 365, Exchange)
• Email marketing platforms (Mailchimp, SendGrid, Campaign Monitor)
• CRM systems (Salesforce, HubSpot)
• Billing and invoicing systems (Xero, Stripe)
• Any other third-party service that sends notifications from your domain

Then create your SPF record:

yourdomain.co.uk. IN TXT "v=spf1 include:_spf.google.com include:mailchimp.com ~all"

Use ~all (softfail) initially, then move to -all (hardfail) once you've confirmed all legitimate senders are included. Never use +all — it defeats the entire purpose of SPF.

Step 2: Configure DKIM

DKIM adds a cryptographic signature to every outgoing email. Even if someone spoofs your domain, they can't produce a valid DKIM signature because they don't have your private key.

Most email providers generate the DKIM record for you. Here's the process:

1. Log in to your email provider's admin console
2. Find the DKIM settings (usually under email authentication or security)
3. Generate a new DKIM key — the provider will give you a TXT record to add to your DNS
4. Add the record to your DNS
5. Enable DKIM signing in your email provider

For services like Mailchimp or SendGrid, you'll need to set up DKIM separately for each platform. Each service uses a different selector, so they don't conflict.

Choose a key length of at least 2048 bits. 1024-bit keys are still common but are increasingly considered insufficient. Rotate your DKIM keys annually as a security best practice.

Step 3: Implement DMARC

DMARC is the enforcement layer. It tells receiving servers what to do when an email from your domain fails SPF or DKIM checks. Without DMARC, receiving servers decide for themselves whether to deliver, quarantine, or reject failed emails — and most default to delivering them.

Phase 1: Monitor (p=none)

Start with a monitoring-only policy. This won't affect email delivery but will start generating reports that show you exactly what's happening:

_dmarc.yourdomain.co.uk. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; pct=100"

Run this for at least 2-4 weeks. Review the reports to understand:

• Which IP addresses are sending emails from your domain
• Which ones pass SPF and DKIM
• Which ones fail — these could be spoofers or services you forgot to include in SPF

Phase 2: Quarantine (p=quarantine)

Once you've verified that all legitimate senders are passing authentication, move to quarantine mode:

_dmarc.yourdomain.co.uk. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"

Emails that fail authentication will be sent to spam folders instead of being delivered. Monitor this phase carefully — if any legitimate emails start going to spam, you've missed a sender in your SPF record.

Phase 3: Reject (p=reject)

Once you're confident everything is working, move to full enforcement:

_dmarc.yourdomain.co.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

Failed emails are rejected outright. This provides the strongest protection against spoofing — attackers can't even get their emails delivered to spam folders.

Monitoring DMARC Reports

DMARC aggregate reports are XML files sent daily by receiving servers. They contain a wealth of information about who's sending email from your domain. Key things to look for:

• Unexpected IP addresses — if you see sending IPs you don't recognise, investigate immediately
• Failed authentication — legitimate services that aren't passing need to be added to your SPF record or have DKIM configured
• Volume changes — a sudden spike in failed emails could indicate an active spoofing campaign

Services like DMARC Analyzer, Valimail, and EasyDMARC can parse these reports into readable dashboards. Some offer free tiers for single domains.

Common Gotchas

Third-Party Senders

The most common reason DMARC deployment fails is forgetting to include all third-party services. If your CRM sends emails from your domain but isn't included in your SPF record and doesn't DKIM-sign with your domain, those emails will fail DMARC. Go through every service that sends email on your behalf and ensure each one is properly authenticated.

Subdomains

By default, DMARC applies to subdomains too. If you have subdomains that send email (e.g. notifications.yourdomain.co.uk), they need their own SPF and DKIM configuration. If a subdomain doesn't send email, consider adding a separate DMARC record for it with p=reject.

Mailing Lists and Forwarders

Emails forwarded by mailing lists or alias forwarders often break SPF (because the forwarding server isn't in your SPF record). DKIM usually survives forwarding, so having both SPF and DKIM gives you the best chance of passing DMARC. If DKIM is set up correctly, forwarded emails should still authenticate.

Testing Your Configuration

Before moving to enforcement, test your setup:

• Send test emails to addresses at Gmail, Outlook, and Yahoo — check the authentication headers (look for "Authentication-Results" in the email source)
• Use mail-tester.com to get a comprehensive score
• Check your DNS records with MXToolbox's SPF, DKIM, and DMARC lookup tools
• Run a PulseShield free scan on your domain — it checks for SPF, DKIM, and DMARC records as part of the email security assessment

The NCSC provides additional guidance on email security at ncsc.gov.uk/guidance/email-security.

For a deeper explanation of how these three records work together, see our guide on what SPF, DKIM, and DMARC are. If your emails are already landing in spam, our guide on why business emails go to spam covers the full range of causes and fixes.