What is email spoofing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get an email from your CEO asking you to wire $50,000 to a new vendor. The email address looks right. The name looks right. But it wasn't sent by your CEO at all.

That's email spoofing. It's when someone fakes the sender information in an email to make it look like it came from a person or organization it didn't. The attacker manipulates what you see in the From field, the display name, or the underlying envelope address. You see a trusted name. You trust the message. That's the whole trick.

This works because email wasn't designed with identity verification in mind. When the early protocols were built, anyone could put anything in the sender fields, and nothing checked whether that claim was true. That gap still exists unless a sender has authentication records set up correctly.

Spoofing shows up in a few different flavors. Someone might spoof your bank's exact domain (noreply@yourbank.com) to steal your login. They might spoof a colleague's display name while using a completely unrelated address. Or they might register a domain that looks almost right, like yourbank-secure.com, and spoof from that. Each type uses a slightly different technique and requires a slightly different defense.

The good news is that three authentication protocols were built specifically to fight this. SPF, DKIM, and DMARC work together to let receiving mail servers verify that an email actually came from who it claims to be. Without all three in place, your domain can be spoofed by anyone, and your recipients have no technical way to know the difference.

If you're not sure whether your domain is protected, you can check your DMARC record right now with our free DMARC Generator. It takes about 30 seconds and shows you exactly what's missing.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my spoofing exposure

I want to check whether my domain is protected against spoofing. Based on my setup details, tell me: (1) which authentication records I'm missing or misconfigured, (2) which type of spoofing I'm most exposed to right now, and (3) the single most important fix I should make first. My domain is domain, my ESP is ESP name, and my current DMARC policy is none/quarantine/reject or unknown.

Edit the yellow boxes, then send to the AI of your choice.