Can Someone Send Email Pretending to Be Your Business? Yes, Probably | DomainScores

89% of domains have no enforcement stopping criminals from sending email as them. Invoice fraud, CEO impersonation, and supplier scams all start here.

89.41% of domains — including most Irish business domains — have no DMARC policy that blocks spoofed email. That means a criminal can send email from your exact domain address right now, and it will land in the recipient's inbox appearing to come from you.

How email spoofing works

Email was designed without authentication. The "From:" address you see in an email is just a text field — any mail server can put any address there. For decades, there was no technical mechanism to verify it.

SPF, DKIM, and DMARC were built to close that gap. Together, they allow receiving mail servers to verify that an email claiming to be from your domain actually came from your authorised sending infrastructure. But only 3.87% of domains have all three configured to enforcement level.

What criminals do with your domain

Invoice fraud. A criminal sends an invoice email from your finance team's address to a supplier or customer, with updated bank details. The recipient sees your domain, your name, your branding. The money moves before anyone realises.

CEO fraud. An email from "you" to your finance team requesting an urgent wire transfer. The sender address is your domain. The request looks real.

Customer phishing. Emails to your customers claiming to be from your support team, asking for credentials, payment details, or personal information.

Supplier impersonation. Emails pretending to be from your suppliers — sent to your own team — requesting payment to a new account.

How to check your domain

Run the free DomainScores check to see your current DMARC, SPF, and DKIM grades — and whether your domain can currently be spoofed.


Want this fixed? Domain Fix from €1,197 — we configure DMARC enforcement, SPF, and DKIM for your domain. Grade B+ guaranteed, or your money back.