What’s the difference between spoofing and impersonation?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Both spoofing and impersonation are about tricking someone into thinking an email came from a trusted source. But they work differently, and defending against one doesn't automatically protect you from the other.

Spoofing is a technical forgery. The attacker manipulates email headers so the message literally claims to be from your domain. If someone sends an email that says it's from captain@harborpost.net but it was sent from a completely different server with no authorization, that's spoofing. The good news is that email authentication (SPF, DKIM, and DMARC) is specifically designed to catch this. With a strict DMARC policy in place, that forged message gets rejected before it ever reaches the inbox.

Impersonation is social engineering. The attacker doesn't forge your domain at all. Instead, they use tricks like display name fraud (showing "Harbor Port CEO" with a random Gmail address behind it), lookalike domains (harb0rpost.net or harbor-post.net), or cousin domains registered specifically for the attack. Authentication passes just fine because technically the email is coming from exactly who it says it is. The deception lives in how it looks to a human, not in the headers.

Here's a quick way to see the difference in practice.

  • Spoofing: an email arrives claiming to be from ceo@yourcompany.com, sent by an attacker's server with no SPF or DKIM. DMARC rejects it.
  • Impersonation: an email arrives from ceo.yourcompany@gmail.com with the display name "CEO, Your Company." DMARC passes. Your inbox accepts it.

Both are dangerous. Spoofing tends to be the attack vector for phishing at scale, while impersonation (especially lookalike domains) is common in targeted business email compromise attacks where someone is trying to trick a specific person into wiring money or handing over credentials.

The defenses are different too. For spoofing, you want a published and enforced DMARC policy. For impersonation, you need human awareness training, secure internal processes for financial requests, and ideally some inbox-level filtering that flags suspicious lookalike senders. Neither problem has a single fix, but understanding which one you're facing is the first step to choosing the right defense.

Wondering whether your own domain is protected against spoofing right now? You can check and build your DMARC record for free, or if you're mid-incident, the SOS hotline is there (no pitch, just help).

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Assess my spoofing and impersonation risk

Based on what I just read about spoofing versus impersonation, can you help me figure out which type of attack my domain might be vulnerable to right now? Here are some details about my current setup: 1. My domain name and whether I have SPF, DKIM, and DMARC published 2. Whether I've seen suspicious emails claiming to be from my domain 3. My industry and approximate company size 4. Whether I have any lookalike or cousin domains registered defensively Given those details, please rank my risks from highest to lowest and suggest the most important things I should do first.

Edit the yellow boxes, then send to the AI of your choice.