Attackers use your domain to send phishing emails to your customers and partners — often before you notice. Here's how to find out if it's already happening.
Your domain is being spoofed right now. Maybe not — but if you run email for any business, it's worth assuming someone has tried. Domain spoofing is how attackers burn your reputation, get your emails flagged as spam, and trick people into trusting messages that appear to come from you.
The worst part? You often find out when a customer forwards you a phishing email that looks like it came from you — or when your email deliverability drops for no apparent reason. This guide covers the practical steps to check, detect, and stop domain spoofing before it causes real damage.
Spoofing means an attacker sends email that claims to come from your domain — yourdomain.com — without having the proper authentication to do so. They use the From header to make it look like you. The receiving mail server has no automatic way to know it's a forgery unless you've configured the right DNS records.
There are two main flavors:
yourdomain-corp.com or yrdomain.com — and sends from there. This is harder to automatically block but easier for users to spot.Both are dangerous. Direct spoofing is the one most businesses don't realize they have no defense against.
Before looking for evidence of spoofing, check whether your domain is actually protected. Open a terminal and run:
dig TXT yourdomain.com +shortdig TXT _dmarc.yourdomain.com +short
If the SPF record returns nothing, your domain is effectively open to spoofing. If DMARC returns nothing, there's no mechanism to tell receiving servers what to do with unauthenticated mail purporting to be from your domain.
Use MXToolbox's free DMARC lookup at mxtoolbox.com to get a plain-language assessment of your current email authentication posture.
DMARC has a reporting mechanism that tells you what's being sent using your domain — authenticated or not. When you set p=quarantine or p=reject in your DMARC record, receiving mail servers send XML aggregate reports back to the rua address you've specified.
These reports show:
If you see sources sending mail that failed authentication, that's either a misconfiguration on your end — a marketing tool or subsidiary not yet authorized — or spoofing from outside.
VirusTotal has a free domain lookup that aggregates reputation data from dozens of security vendors. Search for your domain at virustotal.com and look at the email section. You can also search for your domain in Subject: and From: headers in public threat feeds.
If an IP in a DMARC aggregate report belongs to a company you've never used, that's a spoofing attempt — and you should check whether the emails reached their destination.
Set up a dedicated monitoring inbox — something like [email protected] — and subscribe to security feeds and known phishing reporting lists. When someone forwards you a spoofed email that appears to come from your domain, you catch it in the wild.
Some organizations use custom SPF records that include a non-routable "dark IP" — one that never sends legitimate mail. Any message that passes SPF from that IP is definitively spoofed. You can set up a catch-all rule to flag these.
Return-Path, Received-SPF, and Authentication-Results — these tell you whether the message passed authentication checksOnce you've confirmed whether spoofing is happening, here's the action sequence:
SPF lets you specify which mail servers are authorized to send email on behalf of your domain. A minimal strict record looks like: v=spf1 include:_spf.yourmailprovider.com -all. The -all tells everything else to reject.
DKIM adds a cryptographic signature to your emails that receiving servers can verify. Most major email providers (Google Workspace, Microsoft 365, Mailchimp Transactional) handle this automatically once you publish the DKIM record they give you.
Start with p=quarantine (sends suspicious mail to spam) while you tune your SPF/DKIM alignment. Once you've verified everything legitimate is passing, move to p=reject — this tells receiving servers to block anything that doesn't authenticate.
Set an rua destination in your DMARC record and review reports weekly. New unauthorized sources appearing suddenly is a signal of active spoofing campaigns.
rua)?EdgeIQ monitors your email authentication posture and alerts you when unauthorized sources start sending as your domain — before reputation damage accumulates.
View plans →