What Is Email Spoofing and How to Stop It
Email spoofing is the practice of sending email with a forged sender address to make it appear to come from a trusted source. The SMTP protocol was designed without any sender verification mechanism, making spoofing technically straightforward. Attackers use it for phishing, BEC fraud, vendor impersonation, and brand abuse. The FBI IC3 recorded over $2.9 billion in BEC losses from spoofed email attacks in 2023.
If your customers keep receiving phishing emails that appear to come from your company, or a supplier was deceived by a spoofed invoice claiming to be from you, the problem is almost certainly email spoofing. This guide explains how it works, why DMARC alone is not enough to stop it, and what steps close the gaps that technical controls leave open.
What Is Email Spoofing?
Email spoofing is the act of sending email with a forged sender address to make the message appear to originate from a trusted source. The SMTP protocol, designed in 1971, has no built-in mechanism to verify that a sender is who they claim to be. Anyone with access to a mail server can specify any value in the From field without authentication.
Attackers exploit this to send email appearing to come from a colleague, supplier, bank, or major brand. The goal is to deceive the recipient into transferring funds, clicking a malicious link, or disclosing credentials. According to Valimail, approximately 40% of domains globally have DMARC published, leaving the majority fully vulnerable to exact domain spoofing in 2026. For context on how email spoofing fits the full threat picture, see The Complete Guide to Email Security.
How Does Email Spoofing Work Technically?
Email spoofing exploits the gap between two distinct sender fields in every email message.
The envelope sender, also called the Return-Path or MAIL FROM, is the technical delivery address used by mail servers during transmission. It handles bounce notifications and is typically invisible to the end user in their email client.
The header From address is what recipients see when they open an email. This is the display name and email address shown as the sender. Attackers forge this field because it is the only one most users look at.
A practical example: an attacker sets MAIL FROM to an address on a domain they legitimately control but sets the visible From header to display the CEO’s name and company email address. The email arrives looking exactly like an internal message from leadership. Most email clients show only the From header and hide the underlying mismatch entirely.
Display name spoofing takes this further by using a misleading name, such as “John Smith CEO,” while actually sending from a legitimate but completely different email address. No domain is forged. The real sending domain passes all authentication checks because it is genuine.
What Is Domain Spoofing and How Is It Different From Email Spoofing?
Domain spoofing is a specific form of email spoofing where the attacker impersonates an entire domain rather than just an individual sender name.
Exact domain spoofing sends email with the From header showing an address at the target domain directly, for example ceo@example.com. This attack works only when the target domain has no DMARC enforcement. As DMARC adoption grows, exact domain spoofing becomes increasingly difficult to execute against well-configured domains.
Lookalike domain spoofing is the attacker’s response to DMARC adoption. The attacker registers a domain that visually resembles the target, such as target-company.com, targetcompany.co, or a domain using homoglyph characters where a Cyrillic letter substitutes a Latin one. The email passes all technical filters because it originates from a legitimately registered domain that is not the actual target.
DMARC has zero jurisdiction over lookalike domains. For the complete authentication setup, see our guide on SPF, DKIM and DMARC Explained.
What Are the Different Types of Email Spoofing Attacks?
Email spoofing spans six distinct attack types, each requiring different defenses to address.
| Spoofing Type | How It Works | DMARC Coverage | Additional Protection Needed |
| Display Name Spoofing | Misleading sender name, real alternative domain | None | Impersonation protection, employee training |
| Exact Domain Spoofing | From header shows actual target domain | Yes, with p=reject | SPF, DKIM, DMARC p=reject |
| Lookalike Domain Spoofing | Registered similar domain used as sender | None | Defensive domain registration, impersonation protection |
| Subdomain Spoofing | Sends from uncovered subdomain of target | Partial (only if sp=reject set) | DMARC sp=reject |
| Cousin/Homoglyph Spoofing | Typos or character substitutions in domain | None | Domain monitoring, impersonation protection |
| Internal Domain Spoofing | Impersonates internal email addresses | Yes, if domain has DMARC | Multi-factor verification procedures |
The table reveals a critical pattern: DMARC only protects against exact domain spoofing where the target domain is used directly. Every other attack type requires additional controls beyond authentication records.
How Do Attackers Use Email Spoofing to Commit Fraud?
Business email compromise is the most financially damaging application of email spoofing, targeting scenarios where email authority produces financial action without verification.
CEO fraud uses spoofed executive addresses to instruct finance staff to transfer funds or change payment account details urgently. Vendor impersonation spoofs supplier email addresses to redirect invoice payments to attacker-controlled accounts, typically timed to arrive during a normal billing cycle. IT helpdesk impersonation spoofs internal support addresses to request credentials or remote access.
Brand phishing impersonates major platforms such as Microsoft, HMRC, and PayPal to harvest employee or customer credentials at scale. These messages often carry no malicious attachments, bypassing malware filters entirely.
The Verizon DBIR consistently identifies phishing and BEC through spoofed email as leading attack vectors. For how CEO fraud specifically operates and targets finance teams, see our article on What Is CEO Fraud? How to Detect and Prevent BEC Attacks. For context on broader phishing variations, see Phishing vs Vishing vs Smishing: What Is the Difference?
How Do SPF, DKIM and DMARC Stop Email Spoofing?
SPF checks that the sending IP is authorized for the envelope sender domain. DKIM validates the message signature and confirms the content was not modified in transit. DMARC checks that either SPF or DKIM aligns with the visible From header and applies policy: p=none, p=quarantine, or p=reject.
DMARC p=reject is the strongest technical protection against exact domain spoofing. When enforced, receiving servers block any unauthenticated email claiming to be from that domain.
The critical gap almost no competitor covers is what happens after a domain reaches p=reject. Sophisticated attackers do not abandon the campaign. They pivot immediately to a lookalike domain, registering target-company.com or using homoglyph characters to create a visually identical domain and sending from it. Their email passes all SPF and DKIM checks because it originates from a legitimately registered domain. DMARC has no authority over any domain other than the one it is published for.
Organizations that implement DMARC p=reject and consider the spoofing problem solved remain fully exposed to every lookalike domain attack. According to Valimail, only around 40% of domains globally have DMARC published, and the enforcement rate at p=reject is significantly lower. Even organizations at full enforcement face continued lookalike risk that authentication records cannot address. NIST SP 800-177 and UK NCSC guidance both recommend DMARC enforcement as a baseline while noting that brand impersonation through similar domains requires additional controls.
What Is Email Impersonation Protection and How Does It Work?
Email impersonation protection extends beyond DMARC to catch attacks that authentication records cannot block.
Standard DMARC enforcement has no effect on display name spoofing, where a real sending domain is used with a misleading sender name, or on lookalike domain attacks, where the email originates from a registered alternative domain. Impersonation protection specifically targets these categories.
It works by combining sender display name analysis, lookalike domain comparison against known organizational domains, and machine learning models trained on real communication patterns. When an incoming message displays an executive name but arrives from an unexpected domain, impersonation protection flags it before inbox delivery.
Microsoft Defender for Office 365 includes impersonation protection in its anti-phishing policy configuration. Proofpoint and Mimecast offer equivalent capabilities. For BEC defense specifically, impersonation protection is one of the most critical controls because BEC emails typically carry no malicious links or attachments that other filters detect. For more on BIMI as a trust signal tied to authentication, see What Is BIMI and How It Boosts Email Brand Trust.
What Is ARP Spoofing and Is It Related to Email Spoofing?
ARP spoofing is a network-layer attack with no direct relationship to email authentication, but the shared word “spoofing” causes frequent confusion.
Address Resolution Protocol maps IP addresses to MAC addresses on local networks. In an ARP spoofing attack, an attacker sends falsified ARP messages to associate their MAC address with a legitimate IP address on the same network. This intercepts traffic flowing to that IP and enables a man-in-the-middle position on the local network.
The connection to email is indirect: if email traffic crosses a local network without TLS encryption, ARP spoofing can intercept it. The defense requires dynamic ARP inspection at the network switch level, not email authentication controls.
| Feature | Email Spoofing | Domain Spoofing | ARP Spoofing |
| Definition | Forged email sender address | Impersonation of an entire domain | Poisoned ARP tables on local network |
| Network Layer | Application layer (email) | Application layer (email) | Network layer (Layer 2) |
| Attack Target | Individual email recipients | Organizations and their customers | Local network devices |
| What It Enables | Phishing, BEC, fraud | Brand abuse, phishing campaigns | Traffic interception, MitM |
| Primary Defense | SPF, DKIM, DMARC | DMARC, domain monitoring, impersonation protection | Dynamic ARP inspection |
How Do You Detect and Report Email Spoofing?
Detecting email spoofing starts with the email headers most users never examine.
Every email contains a full set of headers recording the delivery path and authentication results. The Authentication-Results header shows SPF, DKIM, and DMARC pass or fail status in a single readable field. A message showing SPF: fail or DMARC: fail has not passed sender verification.
In your email client, hover over the sender display name to reveal the actual sending address behind it. A message showing “John Smith CEO” as the display name but sending from john.smith@gmail.com is a clear display name spoofing indicator. Most users never hover and never see the mismatch.
Use MXToolbox Email Header Analyzer or Google Admin Toolbox to parse full email headers for detailed delivery path and authentication analysis. Both tools present the technical data in a readable format without requiring command-line expertise.
Review DMARC aggregate reports regularly. Reports reveal every IP sending email claiming to be your domain, including active spoofing campaigns you would not otherwise know about.
How Do You Stop Email Spoofing for Your Domain?
Stopping email spoofing requires a layered approach that goes beyond implementing SPF, DKIM, and DMARC.
Start with full authentication: SPF covering all legitimate sending services, DKIM signing on all outgoing email, and DMARC progressed to p=reject. Add sp=reject to your DMARC record to cover subdomains. Most DMARC configurations omit the sp tag entirely, leaving all subdomains of the root domain vulnerable to spoofing even when the root domain enforces p=reject.
Add email impersonation protection through Microsoft Defender, Proofpoint, or Mimecast to catch the lookalike domain and display name attacks that authentication records cannot stop.
The step almost no competitor guide includes is defensive domain registration. Once a domain reaches DMARC p=reject, the attacker’s most effective response is registering a lookalike domain. Proactively registering common misspellings, typosquatting variations, and homoglyph versions of your domain removes this attack surface before attackers can use it.
For organizations processing significant payments by email, registering twenty or thirty lookalike domain variations costs a fraction of a single successful BEC payment. Search for existing registrations of your domain with common character substitutions, doubled letters, added hyphens, and country code TLD variations. Register the highest-risk variants and redirect them to your main site, preventing any phishing infrastructure from launching on those domains.
Cyber Security Solutions Ltd recommends combining DMARC enforcement, impersonation protection, and proactive domain registration as the three-layer approach that authentication alone cannot provide. Train employees to verify sender addresses before acting on financial requests. For the complete framework, see Email Security Best Practices: The Definitive 2026 Checklist.
Conclusion
Email spoofing is technically preventable but never stopped by any single control. DMARC p=reject closes the exact domain gap. Impersonation protection addresses lookalike and display name attacks. Defensive domain registration removes the attack surface that authentication cannot reach. To find out whether your domain is protected against all three spoofing vectors, visit cybersecuritysolutionsltd.com for a free email authentication and spoofing assessment.
“`html
