How do ESPs detect spoofed senders?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine someone sends thousands of emails claiming to be from captain@deepcurrent.io, but they've never set foot in your ESP account. How does your ESP even know something's wrong? It turns out, there are several layers of detection working together before a single spoofed message makes it through.

The first layer is authentication. When you add a domain to an ESP, they ask you to publish specific DNS records that prove you control that domain. SPF tells receiving servers which IP addresses are allowed to send on your behalf. DKIM adds a cryptographic signature to every outgoing message. DMARC tells receiving servers what to do when either of those checks fails. If someone tries to send from your domain without those records in place, or if the records don't match the sending source, the message fails authentication immediately.

But authentication alone doesn't catch everything. ESPs also watch behavioral signals in real time. A brand-new account suddenly sending 50,000 emails in an hour raises a flag. So does a domain that's never sent before suddenly blasting high-volume campaigns. ESPs build a baseline for each account over time, and anything that deviates sharply from that baseline gets flagged for review or held for manual approval.

Then there's content analysis. Spoofed campaigns often borrow subject lines, logos, and copy from real brands. ESPs compare message content against known phishing templates and spam patterns. If your email looks suspiciously similar to a well-known brand you're not affiliated with, that's another red flag.

Abuse detection pulls it all together. ESPs track things like complaint rates, the age of the sending domain, the ratio of new subscribers to previous engagement history, and whether the IP address used has appeared on known blocklists like Spamhaus. A genuinely spoofed sender will usually fail several of these checks at once, which is what triggers account suspension or message blocking.

Worth noting: these systems aren't perfect. Weak authentication setups can let some spoofed messages slip through, especially display-name spoofing, where the From name looks legitimate but the actual sending address is completely different. That's why a full SPF, DKIM, and DMARC setup on your own domain matters so much.

If you want to check whether your domain's authentication is set up in a way that would actually hold up against these detection layers, our free SPF checker is a good starting point. Or if something feels off right now, the SOS hotline is free and we actually pick up.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my spoofing vulnerabilities

Based on how ESPs detect spoofed senders, review my current sending setup and tell me which detection layers I might be vulnerable to. My domain is domain, my ESP is ESP name, and I have/haven't set up SPF, DKIM, and DMARC. Give me a ranked list of the biggest risks and what I should fix first.

Edit the yellow boxes, then send to the AI of your choice.