What are the different types of spoofing (header, display name, domain)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You open an email that looks like it's from your CEO. The name checks out, the address looks right, and the message asks you to wire money urgently. But something's off. That's spoofing at work, and it comes in three distinct flavors.
Header spoofing is the most technically direct form. The attacker manipulates the From header so the full email address appears to be something like ceo@yourcompany.com, even though the email was actually sent from attacker@malicious.com. What you see in your inbox is a lie baked into the message headers themselves. This is what DMARC enforcement is designed to stop. When your domain has a DMARC policy set to reject or quarantine, mailbox providers check that the From header domain aligns with a domain that passed SPF or DKIM. If it doesn't align, the email gets blocked or sent to spam.
Display name spoofing (also called friendly name spoofing) is sneakier because the actual sending domain is authenticated. The attacker sends from a real address like ceo-notifications@gmail.com, but sets the visible display name to "CEO John Smith". On mobile especially, most email clients only show the display name, not the address underneath. So recipients see a trusted name and assume the email is legitimate.
Here's the painful part: SPF, DKIM, and DMARC don't stop display name spoofing. The sending domain passes authentication because gmail.com is a real, authenticated domain. The deception is purely visual. The best defenses are user awareness and email security gateways that flag when a display name matches an internal executive but the sending domain is external.
Domain spoofing uses your actual domain in the From address. An attacker sends as finance@yourcompany.com from their own mail servers, with no relationship to your infrastructure at all. Without DMARC enforcement on your domain, this works depressingly well. SPF alone isn't enough here (it checks the envelope sender, not the visible From header). DKIM alone isn't enough either (it signs headers, but an attacker can simply not include a DKIM signature). DMARC is the one that ties it together, requiring that at least one of SPF or DKIM passes and aligns with the From domain.
A quick comparison of what each type looks like in the inbox:
- Header spoofing: You see ceo@yourcompany.com as the sender. The email actually came from attacker@malicious.com.
- Display name spoofing: You see "CEO John Smith" as the name. The actual address is ceo-alert@gmail.com or similar.
- Domain spoofing: You see ceo@yourcompany.com and it really does say yourcompany.com. But your company never sent it.
If you want to know whether your domain is protected against header and domain spoofing, check your DMARC record. You can do that in about 30 seconds with our free DMARC parser. If you don't have one yet, our DMARC generator will build one for you. Display name spoofing is the harder one to stop technically, so if you're worried about that specifically, reach out and we'll talk through your options.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.