Does SPF prevent domain spoofing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Short answer: no. SPF alone doesn't stop domain spoofing, and anyone telling you otherwise is selling you a false sense of security.

But Here's why. Every email has two "from" addresses, and SPF only checks one of them.

Envelope from vs header from

The envelope from (also called the Return-Path) is what mail servers use behind the scenes to route the message and send bounces. SPF validates that the sending server is allowed to send on behalf of this envelope domain.

The header from is what you actually see in your inbox. It's the "From: Your Bank <support@yourbank.com>" line.

These two can be completely different. A phisher can send an email where the envelope from is attacker@their-own-domain.com (SPF passes) and the header from is support@yourbank.com (what the victim sees). SPF happily passes the message. The recipient sees "your bank" and clicks the malicious link.

What SPF does prevent

SPF stops unauthorized servers from impersonating your domain at the envelope level. That matters for bounce handling, mailing lists, and some reputation checks. It's useful. It's just not enough to stop phishing on its own.

What actually prevents spoofing

And the answer is all three of SPF, DKIM, and DMARC working together. DMARC is the glue. It requires the visible header from domain to align with SPF or DKIM, so a phisher can't get away with mismatched from addresses anymore. Set DMARC to p=reject and the spoofed message gets dropped before the victim ever sees it.

And If you're not sure whether your domain is currently protected, paste it into our SPF checker and then check DMARC too. If your domain is actively being spoofed and you need the whole stack locked down fast, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Spoofing Defenses

I just read the Email Almanac entry on SPF and domain spoofing. Help me figure out whether my domain is actually protected against spoofing, or only partly protected. Walk me through: 1. Whether my SPF, DKIM, and DMARC are all set up and passing 2. Whether my DMARC policy is strict enough to stop spoofing (p=none is not enough) 3. Whether my visible header from is aligned with my authentication 4. What to do first if any piece is missing --- My details (fill in what applies): - Domain to protect: your sending domain - SPF status: passing / unknown / not set up - DKIM status: passing / unknown / not set up - DMARC status: p=none / p=quarantine / p=reject / not set up / unsure - Known spoofing or phishing incidents: yes, describe briefly / no / unsure - Primary sending platform: ESP name or self-hosted

Edit the yellow boxes, then send to the AI of your choice.