What is phishing email?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Phishing email is a fraudulent message designed to trick recipients into revealing passwords, credit card numbers, or other sensitive information. Phishing emails impersonate trusted brands (banks, tech companies, government agencies) with forged sender addresses, fake login pages, and urgent-sounding requests. Click the link, enter your credentials, and the attacker has your account.

The classic phishing email: "Your account has been locked. Click here to verify your identity." The link goes to a fake page that looks exactly like Gmail or Outlook, complete with stolen logos and matching colors. You enter your password, it gets captured, and the real damage begins.

Spear phishing is the targeted version. Instead of blasting thousands of people with generic "verify your account" emails, spear phishing focuses on a specific person using details from LinkedIn, company websites, or previous data leaks. "Hi Sarah, the Q4 budget deck you requested is attached" sounds way more believable than "Dear valued customer."

And if you're a legitimate email sender, phishing matters to you for two reasons. First, attackers constantly spoof trusted domains (yours included) to make their phishing emails look real. When someone reports a phishing email that appears to come from your domain, it damages your sender reputation even though you didn't send it. Second, mailbox providers like Google Workspace and Microsoft 365 tighten spam filters whenever phishing campaigns spike, which means your legitimate emails get caught in the crossfire.

So protecting your domain from phishing abuse requires SPF, DKIM, and DMARC. SPF lists which mail servers are allowed to send from your domain. DKIM adds a cryptographic signature that proves the email actually came from you. DMARC tells mailbox providers what to do when an email fails SPF or DKIM (quarantine it, reject it, or let it through with a warning). Without these, anyone can forge an email from your domain and you have no way to stop it.

Want to check if your domain is protected? Our free SPF checker will tell you if your SPF record is set up correctly, and our DMARC generator walks you through creating your first DMARC policy. If you're seeing phishing emails spoofing your domain and you're not sure how to lock it down, our SOS hotline is free (and we actually pick up).

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Domain's Phishing Protection

I read this on the Email Almanac about phishing email and how it affects legitimate senders. Help me understand how phishing impacts MY domain and sending reputation: 1. Check if my domain can be spoofed in phishing attacks (do I have SPF, DKIM, DMARC set up correctly?) 2. What happens to my sender reputation if phishing emails spoof my domain? 3. How do I monitor for phishing abuse of my domain? 4. What DMARC policy should I use (none, quarantine, or reject)? --- My details: - Domain(s): your sending domain - Current ESP: e.g. Mailchimp, SendGrid, Postmark - Have you set up SPF? yes/no/not sure - Have you set up DKIM? yes/no/not sure - Have you set up DMARC? yes/no/not sure - Are you seeing phishing emails spoofing your domain? yes/no - Current challenge: describe what prompted this question

Edit the yellow boxes, then send to the AI of your choice.