Email spoofing

How it works

Plain SMTP lets a sender set any "From" address. Spoofing is blocked when receiving servers can check SPF (which senders are allowed), DKIM (a cryptographic signature), and DMARC (what to do on failure), but only if your domain publishes and enforces these records.

How it relates to brand impersonation

Email spoofing is brand impersonation in the inbox. Even with strong DMARC on your primary domain, attackers fall back to lookalike domains, which is where monitoring and takedowns come in.

How nebty helps

Our email spoofing guide explains the controls to deploy, and nebty monitors for the lookalike domains attackers use when your real domain is protected, ready for an on-demand takedown.

How the three records fit together

The three email-authentication records each cover a different gap, and they only work together. SPF lists the servers allowed to send mail for your domain, so a receiver can reject a message from anywhere else. DKIM adds a cryptographic signature, so a receiver can confirm the message was not altered and really came from your domain. DMARC ties the two together: it tells receivers what to do when a message fails both checks and reports who is sending as you. The common mistake is publishing DMARC in monitor mode and never moving to reject, which logs the abuse without stopping it. Even at full enforcement you have only protected your exact domain; attackers respond by registering lookalike domains, and removing those is where monitoring and takedowns come in. Our email spoofing guide walks through the setup.