How can attackers misuse my brand in email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine a customer gets an email that looks exactly like it's from you. Same logo, same colors, same tone. They click a link, enter their password, and hand their credentials straight to an attacker. That email never touched your servers. You had no idea it was sent.
This is brand misuse in email, and it happens in three distinct ways. Each one works differently, and each requires a different response.
Domain spoofing
This is where an attacker sends email that appears to come from your exact domain. Think captain@deepcurrent.io in both the display name and the actual sending address. If you haven't locked down DMARC with a p=reject or p=quarantine policy, mailboxes have no instruction to block those messages. They arrive looking completely legitimate.
This is the most dangerous attack vector because your real domain's reputation is what makes the email trusted. The good news is that it's also the most preventable. SPF, DKIM, and DMARC together give mailbox providers a way to verify that mail from your domain actually came from you. Without all three in place, you're leaving the door wide open.
Lookalike domains
Here, the attacker doesn't touch your domain at all. They register something close: deepcur1ent.io, deepcurrrent.io, or even a homoglyph swap where a character looks identical but isn't. They set up their own authentication (passing SPF and DKIM perfectly) and send email that looks like it's from your brand.
DMARC can't help you here, because these are legitimately registered domains sending authenticated mail. The attacker owns them. Your only real defenses are monitoring for typosquatting registrations so you catch them early, and training your audience to check sender domains carefully.
Visual impersonation
Still this one doesn't even need a lookalike domain. An attacker copies your logo, your color palette, your email template, and sends from a completely unrelated domain. Recipients recognize your branding and don't think to check where the email actually came from. (Most people don't, honestly.)
This is the hardest to stop technically. Your authentication records do nothing here because the attacker isn't claiming to be your domain. Defenses include watermarking assets, BIMI adoption to reinforce your verified sender identity, and reporting phishing emails that misuse your brand.
Which threat should you focus on first?
Start with domain spoofing. It's the most immediate risk and the most fixable. Getting your DMARC policy to enforcement stops spoofing of your exact domain cold. After that, set up BIMI to make your verified sender identity visible in supported inboxes. Then layer in domain monitoring to catch lookalikes before they do damage.
Not sure where your authentication currently stands? You can check your DMARC record right now with our free DMARC parser. Or if things feel urgent, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.