Email spoofing is when someone sends a message that appears to come from your domain when it did not. The recipient sees [email protected] in the From line, trusts it, and acts on it — pays an invoice, hands over a password, clicks a malicious link. The unsettling part is that the attacker never needs to break into your mailbox or your server. They simply lie about who sent the message, and by default the email system believes them.
For a small business this is not an abstract risk. Your domain is your reputation in someone else's inbox. If criminals can put your name on a phishing message, the damage lands on you — even though nothing on your systems was ever "hacked". This guide explains exactly how the forgery works, why it is so easy, and the three DNS records that stop it.
Why email spoofing is so easy: SMTP was built on trust
Email runs on a protocol called SMTP (Simple Mail Transfer Protocol), designed in the early 1980s for a small, trusting network of universities. SMTP has no built-in way to check that a sender is who they claim to be. The From address you see in your email app is just a piece of text the sending server fills in — like writing a return address on an envelope. Nothing stops you writing someone else's address there.
In fact every email carries two separate "from" values: the envelope sender (used behind the scenes for delivery and bounce messages) and the header From (the friendly address your email app actually shows you). Attackers usually forge the header From, because that is the one humans read. An attacker with a basic mail server, or one of the many "send anonymous email" tools online, can set the header From to [email protected] and dispatch the message in seconds. No password. No access to your network. Just a forged label on the envelope.
This is why "we have strong passwords" or "we use two-factor authentication" does not protect you from spoofing. Those controls protect your accounts. Spoofing does not touch your accounts at all — it forges your name from the outside.
Exact-domain spoofing versus lookalike domains
It helps to separate two different attacks, because they need different defences.
Exact-domain spoofing forges your real domain — the message genuinely claims to be from @yourcompany.ie. This is the most convincing version, because even a careful recipient who checks the address sees the real thing. The good news: this is the attack you can shut down with the email authentication records below. They let receiving servers verify that mail claiming to be from your domain actually came from a server you authorised, and reject it when it did not.
Lookalike (cousin) domains register a similar address — yourcompany-ie.com, your-company.ie, or yourcornpany.ie (an "rn" standing in for "m") — and send from that. Technically this is not spoofing your domain at all; it is a different domain that resembles yours. Authentication records on your own domain cannot stop someone using a domain you do not own. The defences here are different: register the obvious variations yourself, watch for newly registered lookalikes, and train staff to read addresses carefully. Anyone telling you that DMARC stops lookalike domains is mistaken — it only governs your exact domain.
This guide focuses on exact-domain spoofing, because it is the one you can definitively close — and the one most attackers reach for first.
The damage: phishing and fraud sent in your name
When your domain is spoofable, attackers can run convincing scams that wear your identity:
- Business email compromise (BEC) and invoice fraud. A forged email from your finance address tells a customer "our bank details have changed — please pay to this new account". Because it appears to come from you, it gets paid. The customer loses money and blames your business.
- Phishing your own staff. A message that looks like it is from your managing director asks an employee to buy gift cards, approve a transfer, or "confirm your login". Internal-looking mail clears the natural suspicion staff would apply to an outside sender.
- Phishing your customers and partners. Criminals harvest credentials or push malware using your brand as cover. Even when the victim is not your customer, the abuse is attached to your domain.
- Lasting brand and deliverability harm. Spoofed campaigns get reported as spam and abuse. That damages your domain's sending reputation, which can push your own legitimate mail into junk folders.
None of this requires a breach of your systems. That is the point — and the reason a non-technical owner needs to care.
The fix: SPF, DKIM and DMARC
Three DNS records, working together, let any receiving mail server verify that a message really came from you and decide what to do if it did not. You add them as records on your domain; you do not need to change your mail provider.
SPF (Sender Policy Framework) is a published list of the servers allowed to send email for your domain. You add a TXT record naming your provider — for Google Workspace, for example, the record is v=spf1 include:_spf.google.com ~all (Microsoft 365 has its own equivalent). The ~all at the end is the qualifier; Google recommends the tilde (softfail) rather than -all (hardfail) while you are getting set up. A receiving server then checks whether the message arrived from a listed source. SPF answers one question: "is this server allowed to send for this domain?"
DKIM (DomainKeys Identified Mail) adds a tamper-proof digital signature to every message you send, using a private key held by your mail provider. The matching public key lives in your DNS. The receiver verifies the signature, confirming the message was signed by your domain and was not altered in transit. DKIM answers: "was this message genuinely signed on behalf of this domain, and is it intact?"
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the two together and, crucially, tells receivers what to do when a message fails. Its key job is alignment: the visible From domain must match the domain that passed SPF or DKIM. This is the part that actually defeats the forged header From — without it, an attacker can pass SPF or DKIM using their own domain while still displaying yours in the From line. DMARC closes that gap and answers: "this message claims to be from us but failed our checks — reject it, quarantine it, or let it through?"
You must reach p=reject — anything less still lets spoofing through
DMARC has three enforcement levels, set in the p= part of the record, and this is where most businesses stop too early.
p=none— monitor only. Receivers report failures to you but still deliver the spoofed mail. This is the right starting point so you can see who sends on your behalf and fix any gaps, but on its own it blocks nothing.p=quarantine— failing mail is delivered to spam/junk. Better, but a forged message in the junk folder can still be found and trusted by the recipient.p=reject— failing mail is refused outright and never reaches the inbox. This is the only setting that actually stops exact-domain spoofing.
The common, dangerous mistake is publishing p=none, seeing reports arrive, and assuming you are protected. You are not. A DMARC record stuck at p=none is a smoke alarm with the siren disconnected. The path is: publish at p=none, watch the reports for a few weeks, confirm all your legitimate senders (your mail provider, your invoicing tool, your newsletter platform) pass SPF and DKIM, then move to p=quarantine and finally p=reject. Until you reach p=reject, attackers can still forge your exact domain.
For a step-by-step walkthrough aimed at Irish small businesses — including the exact records and how to roll DMARC out safely — see our guide on how to add DMARC to your Irish business email.
Check whether your domain is spoofable today
You can find out in under a minute whether your domain is currently protected or wide open to forgery. Run your domain through the free Digital Trust Checker. It inspects your SPF, DKIM and DMARC setup, tells you in plain English whether spoofing is blocked, and flags the most common gap of all — a DMARC record sitting at p=none that gives a false sense of safety.
If the check shows you are exposed, you do not need to panic or call in a consultant. Start with SPF and DKIM, publish DMARC at p=none to watch the traffic, and work your way to p=reject. Each step makes it harder for anyone to send fraud in your name — and reaching enforcement takes your domain off the table as an easy target for good.