SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
critical DNS

Email Spoofing Risk

Email spoofing is when an attacker sends emails that appear to come from your domain. It is the core technique behind phishing, business email compromise (BEC), and brand impersonation attacks. Your domain's spoofing risk depends on the combination of SPF, DKIM, and DMARC records.

What SecurityStatus Checks

  • Whether SPF, DKIM, and DMARC are all configured and aligned
  • DMARC policy level — p=none offers no protection; p=reject is the only safe setting
  • Whether SPF and DKIM align with the visible From header (DMARC alignment)
  • Any gaps that allow bypass — for example, SPF without DMARC still permits header spoofing

Why This Matters

Business email compromise attacks cost organisations billions of dollars annually. Attackers impersonate executives, finance teams, and vendors using your exact domain. Customers who receive phishing emails from your domain lose trust in your brand. Fully deployed email authentication is the only technical defence.

How to Fix It

  1. 1

    Deploy SPF

    Add an SPF TXT record listing all authorised sending servers. End with -all to reject unauthorised senders. See the SPF guide for full instructions.

  2. 2

    Deploy DKIM

    Enable DKIM signing in your email provider and publish the public key DNS record. DKIM provides the cryptographic proof of message origin.

  3. 3

    Deploy DMARC at p=reject

    Start with p=none to monitor, move to p=quarantine, then p=reject. Only p=reject prevents spoofed emails from being delivered. See the DMARC guide for the full migration process.

  4. 4

    Check subdomain spoofing

    DMARC on your main domain does not protect subdomains unless you add `sp=reject` to your DMARC record or add separate DMARC records for each subdomain. Add: `sp=reject` to your DMARC record.

  5. 5

    Monitor continuously

    Review DMARC aggregate reports weekly. New third-party senders added without updating SPF/DKIM will start failing and may indicate an attack or an untracked service.

Frequently Asked Questions

Can attackers still spoof my domain if I have SPF?
Yes. SPF only checks the envelope sender (Return-Path), not the visible From header. An attacker can pass SPF while still spoofing the From header that users see. DMARC fixes this by requiring alignment between the two.
What is business email compromise (BEC)?
BEC is a type of attack where criminals send emails impersonating executives or finance teams to trick employees into transferring money or sharing sensitive data. BEC uses domain spoofing or lookalike domains.
I have DMARC p=none — am I protected?
No. p=none is monitoring mode only — it reports failures but does not block anything. Spoofed emails are still delivered. You must reach p=reject to actually block spoofing.
Should I also register lookalike domains?
Yes. Even with perfect email authentication on your main domain, attackers can register similar domains (securitystatus.io vs security-status.io) and send from those. Monitor for lookalike registrations with SecurityStatus typosquatting detection.

Related Guides

high SPF Record Read Guide high DMARC Record Read Guide medium DKIM Record Read Guide

Check Your Domain Now

Run all 38 security checks including Email Spoofing Risk and get your domain's security grade in under 2 minutes.

Scan Your Domain Free