How do spammers fake sender identities?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email from "Amazon Support" saying your account is locked. The sender name looks right. The logo looks right. You click before you think. That's exactly what spammers design for, and the tricks they use are surprisingly simple once you see them.
There are three main ways spammers fake who an email appears to be from. They often combine more than one at the same time.
1. Exploiting domains with no DMARC enforcement
When a domain hasn't set up email authentication properly, anyone can claim it. A spammer configures their own mail server to put your domain in the From header. The email goes out saying it's from support@yourbank.com even though it came from a completely different server in a completely different country.
DMARC is supposed to stop this. When a domain has a DMARC policy set to "reject" or "quarantine", mailbox providers check whether the email actually came from an authorized server. If it didn't, the message gets blocked or sent to spam. But plenty of domains still run no DMARC policy at all, and spammers know exactly which ones those are.
2. Display name manipulation
This one works even against domains with decent authentication, which makes it especially sneaky. Every email has two "from" fields: the display name (what you see) and the actual email address (what your mail client usually hides). A spammer can set the display name to anything they want, say "PayPal Security Team", while the real sending address is something like noreply@totally-random-domain.net.
Most people read the display name and never look further. Mobile email clients make this worse because they often show only the name, not the address. You'd have to tap through to a second screen to see where the email actually came from (and most people don't bother).
3. Lookalike domains
And this approach sidesteps authentication entirely. Instead of faking amazon.com, the spammer registers amaz0n.com or amazon-support.net and sets up legitimate SPF, DKIM, and even DMARC records for that domain. The email passes every technical authentication check because it genuinely is sent from the domain it claims. It's just not the real Amazon.
The visual deception is the whole game here. At a glance, amaz0n.com and amazon.com look identical. The zero and the letter O are hard to tell apart in most fonts. Spammers are patient about this. They'll register dozens of variations and test which ones get the most clicks before scaling up.
Why it matters for you as a sender
If you're a legitimate sender, spammers faking your domain hurts you too. Your recipients get phishing emails pretending to be from you, your domain reputation takes a hit, and your real emails start getting treated with more suspicion. That's why locking down your own authentication isn't just about protecting your outbox. It's also about defending your identity.
Not sure if your domain is properly protected? You can check your DMARC setup with our free DMARC Generator, or run your domain through the DMARC Parser to see what your current policy actually says. If something looks off, our SOS hotline is free and we actually pick up.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.