We are running in a testing phase — please be patient and share your feedback.
Spoofing and Phishing — Defending with Email Authentication

Spoofing and Phishing — Defending with Email Authentication

· 6 min read · Tomas Hojgr · email-security
phishing spoofing email-authentication dmarc spf

What Is Email Spoofing

Email spoofing is a technique where an attacker forges the sender address in an email. The recipient sees a trusted domain in the "From" field — your company, a bank, a supplier — even though the message was sent by someone else entirely.

This is possible because SMTP (Simple Mail Transfer Protocol), designed in 1982, includes no mechanism for verifying sender identity. Anyone can send an email with any address in the "From" header. This is exactly why authentication protocols SPF, DKIM, and DMARC were created.

How Attackers Use Spoofing

Spoofing itself is just a technical method — forging an address. Phishing is the fraudulent strategy that often leverages spoofing to achieve its goal. In practice, you'll encounter several types of attacks:

Bulk Phishing

An attacker sends thousands of emails that appear to come from a bank or service provider. The goal is to steal login credentials or credit card numbers. These attacks rely on volume — even a small success rate is enough.

Spear Phishing

A targeted attack on a specific individual. The attacker researches the target's name, position, and colleagues, then crafts a personalized email that looks like internal communication. AI tools now enable generating convincing personalized messages at scale.

BEC (Business Email Compromise)

BEC is the most costly form of email fraud. The attacker impersonates company leadership, a vendor, or a business partner and requests a wire transfer, a change in banking details, or access to sensitive documents. According to the FBI, BEC attacks have caused global losses exceeding $55 billion.

CEO Fraud

A specific variant of BEC where the attacker impersonates a CEO or executive and asks an employee (typically in accounting or finance) for an urgent transfer. The spoofed sender address lends the request apparent legitimacy.

Why SPF and DKIM Alone Aren't Enough

SPF and DKIM are foundational authentication protocols, but each has limitations:

SPF (RFC 7208) verifies whether the sending server is authorized to send email on behalf of a domain. However, it checks the address in the SMTP envelope (envelope sender), not the "From" header the recipient sees. An attacker can have valid SPF for their own domain while spoofing a different address in the "From" header.

DKIM (RFC 6376) adds a cryptographic signature to the email, verifying message integrity and the signing domain. But like SPF, the signature doesn't have to match the domain in the "From" header.

Both technologies verify, but neither tells the recipient what to do when verification fails. An email can pass SPF for one domain, carry a DKIM signature from another domain, and display a third domain in the "From" header. Without DMARC, this is entirely legitimate.

How DMARC Closes the Gap

DMARC (RFC 7489) solves exactly this problem. It adds two critical capabilities:

Alignment — Linking Authentication to the From Header

DMARC requires that the domain which passed SPF or DKIM verification matches the domain in the "From" header (identifier alignment). This eliminates the scenario where an email passes technical checks but the sender address is forged.

Policy — Instructions for Receivers

The domain owner publishes a DNS record that tells receiving servers what to do with unauthenticated emails:

Policy Effect
p=none Monitor only — emails are delivered
p=quarantine Unauthenticated emails go to spam
p=reject Unauthenticated emails are rejected at SMTP level

Example DMARC record with maximum protection:

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:example.com@rua.spfmonitor.com"

The address example.com@rua.spfmonitor.com routes DMARC reports to SPF Monitor, which automatically processes and visualizes them. No need to manually parse XML files.

Three Layers of Defense in Practice

Complete spoofing protection requires all three protocols. Each covers a different part of the problem:

Layer Protocol What It Protects
1 SPF Verifies the sending server is authorized
2 DKIM Verifies message integrity and signature origin
3 DMARC Enforces alignment, sets policy, provides reporting

Without SPF, you have no control over who sends email from your domain. Without DKIM, you can't prove a message wasn't altered in transit. Without DMARC, you have no way to make receiving servers reject forged emails.

What Authentication Won't Solve

Email authentication has clear boundaries. Understanding them is essential so you can build additional layers of defense:

Look-alike Domains

DMARC only protects your own domain. An attacker can register examp1e.com or example-inc.com and send emails with valid authentication. Defense against this type of attack requires monitoring for similar domain registrations and employee awareness training.

Compromised Accounts

If an attacker gains access to a legitimate email account (through stolen credentials or phishing), they send emails directly from an authorized server. SPF, DKIM, and DMARC checks all pass. The defense is multi-factor authentication (MFA) and monitoring for unusual behavior.

Display Name Spoofing

An attacker sets the display name to "John Smith john@example.com" while the actual address is different. Less attentive recipients won't notice the difference. DMARC doesn't address this type of fraud — it checks the domain in the "From" header, not the display name.

Getting Started — A Practical Approach

If you don't yet have complete email authentication, follow these steps:

  1. Check your current statusanalyze your domain to identify what's missing.
  2. Set up SPF — include all servers and services that send email on behalf of your domain. See How to Create an SPF Record for the full walkthrough.
  3. Enable DKIM — for every sending service. See How to Set Up DKIM for detailed instructions.
  4. Deploy DMARC — start with p=none and route reports to SPF Monitor. See How to Set Up DMARC for the step-by-step guide.
  5. Analyze reports — after a few weeks of data collection, review your DMARC reports and identify all legitimate senders.
  6. Tighten the policy — gradually move to p=quarantine and then p=reject.

Major Provider Requirements

Google, Yahoo, and Microsoft tightened email authentication requirements in 2024–2025:

  • All senders must have valid SPF or DKIM.
  • Bulk senders (over 5,000 messages per day) must have SPF, DKIM, and DMARC.
  • Microsoft requires full authentication from May 2025 for senders targeting Outlook.com, Hotmail.com, and Live.com — emails without valid SPF, DKIM, and DMARC may be rejected.

Without proper authentication, you risk not only a security incident but also deliverability problems with your regular business emails.

Authentication as the Foundation of Email Security

Spoofing and phishing remain among the most prevalent cyber threats. Email authentication through SPF, DKIM, and DMARC is the most effective technical defense available to domain owners. It's not a one-time setup — it requires ongoing monitoring, report analysis, and responding to changes.

Check your domain's security to see how well you're protected against spoofing.

Read in another language: Čeština

Related articles

What Is DMARC and How Does It Work
dmarc

What Is DMARC and How Does It Work

DMARC ties SPF and DKIM together and adds a policy for unauthenticated emails. Learn how it works, how to deploy it, and why Google and Yahoo require…

· 6 min read
What Is an SPF Record and Why Do You Need One
spf

What Is an SPF Record and Why Do You Need One

An SPF record protects your domain from being used to send fraudulent emails. Learn how SPF works, how to set it up, and why it's essential for…

· 5 min read
What is DKIM and How Does It Work
dkim

What is DKIM and How Does It Work

DKIM verifies email integrity and origin using digital signatures. Learn how it works, how to set it up, and why it's essential for DMARC and…

· 7 min read