May 17, 2026 · 7 min read · email securityDMARCspoofing

Your Business Email Domain Can Be Spoofed Right Now — The 2026 DMARC Gap

Attackers can send emails that appear to come from your domain — your brand, your email address, your name — without ever accessing your account. For most small businesses, nothing is stopping them. Here's how to find out if your domain is exposed and close the gap in five steps.

Business Email Compromise (BEC) is the highest-dollar cybercrime category in the world, surpassing ransomware for the fourth consecutive year. The FBI's 2025 IC3 report puts reported losses at $2.9 billion — and that figure represents only the attacks that get reported. The majority don't.

What most business owners don't realize is that a large portion of these attacks don't require the attacker to compromise any account at all. They simply send an email that appears to come from your domain. No hacking required. Just a misconfigured DNS record — or more commonly, no record at all.

⚠ You can check right now: go to mxtoolbox.com/dmarc and enter your domain. If the result is "No DMARC Record Found" or shows p=none, your domain can be spoofed today.

How Email Spoofing Actually Works

Email was designed in the 1970s without authentication. The "From" field in an email is like the return address on an envelope — anyone can write anything there. For decades, there was no technical mechanism to verify that the sender address matched the server that sent the email.

Three standards were developed to fix this, and all three need to be correctly configured for protection to work:

SPF — Sender Policy Framework

A DNS TXT record that lists the IP addresses and servers authorized to send email for your domain. When a receiving mail server gets an email claiming to be from yourdomain.com, it checks whether the sending server is on your SPF list. If not, it can flag or reject the email. Problem: SPF alone doesn't prevent spoofing of the visible "From" address — it only checks the technical envelope sender, which most users never see.

DKIM — DomainKeys Identified Mail

A cryptographic signature added to outgoing emails, verified using a public key published in DNS. If the email is tampered with in transit, the signature breaks. DKIM proves the email came from a server holding your private key and wasn't modified. Problem: DKIM alone also doesn't stop a spoofed "From" address — an attacker can sign emails with their own key from their own domain while showing yours in the From field.

DMARC — Domain-based Message Authentication, Reporting & Conformance

DMARC is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails authentication — and crucially, it checks that the authenticated domain aligns with the visible "From" address. DMARC has three policy levels: p=none (monitor only — take no action), p=quarantine (send to spam), and p=reject (block completely). Without DMARC at quarantine or reject, spoofed emails land in inboxes.

The Real-World State of SMB Email Security in 2026

Despite SPF and DMARC being available for over a decade, adoption among small businesses remains dangerously low. A 2025 analysis of domains registered to businesses with under 100 employees found:

71% had SPF configured — but 38% of those used ~all (softfail) rather than -all (hard reject)
29% had DMARC records — but 68% of those were set to p=none, meaning monitoring only with no enforcement
Less than 10% had DMARC set to p=reject — the only setting that actually blocks spoofed emails

📊 The math: roughly 90% of small business domains can be spoofed today. An attacker can send an email appearing to come from your CEO to your finance team — with nothing stopping it from landing in their inbox.

What a Spoofing Attack Looks Like in Practice

Here's a real attack pattern that plays out thousands of times per week across small businesses:

Attacker identifies your domain, your CEO's name (from LinkedIn), and your finance contact (from the company website)
They register a spoofed sending infrastructure and craft an email: From: James Mitchell <[email protected]>
The email asks the finance contact to process an urgent wire transfer before end of day — "I'm in meetings, can't take calls, handle this please"
Because your domain has no DMARC enforcement, the email passes straight through to the inbox with no warnings
The finance contact, seeing their CEO's name and correct email address, complies

The FBI calls this pattern "CEO Fraud" or "BEC." The average loss per incident is $137,000. Many small businesses don't recover.

Your 5-Step Fix

Close the email spoofing gap

✅ Step 1 — Check your current state: Scan your domain at EdgeIQ Inbox Shield to get an instant A–F grade across SPF, DKIM, DMARC, MX, and BIMI. Free, no account needed.
✅ Step 2 — Fix or add SPF: Ensure your SPF record lists all legitimate sending sources (your email provider, CRM, marketing tools) and ends with -all not ~all. Use a SPF flattening tool if you have many includes.
✅ Step 3 — Enable DKIM: Your email provider (Google Workspace, Microsoft 365, etc.) will have a DKIM setup page. Generate a key pair and publish the public key as a DNS TXT record. Most providers automate this.
✅ Step 4 — Add DMARC at p=none first: Start with v=DMARC1; p=none; rua=mailto:[email protected] to begin receiving reports about who is sending email using your domain.
✅ Step 5 — Tighten to p=reject: After 2–4 weeks of reviewing DMARC reports to confirm all legitimate senders are covered, change to p=reject. Now spoofed emails are blocked at the receiving server before they ever reach an inbox.

Understanding Your DMARC Grade

p=reject + SPF -all + DKIM active
Your domain is fully protected. Spoofed emails are blocked before they reach any inbox.

p=quarantine + SPF configured
Good protection. Spoofed emails go to spam rather than inbox. Upgrade to p=reject to fully close the gap.

p=none (monitoring only)
DMARC exists but provides no protection. You're collecting data but not blocking anything. Tighten to quarantine or reject.

No DMARC record
Your domain can be spoofed freely. Any attacker can send email appearing to come from you with no technical barriers.

Ongoing Monitoring Matters

Fixing your DMARC configuration is not a one-time task. DNS records get changed. New email tools get added without SPF updates. DKIM keys expire. A configuration that was correct in January can be broken by March after a new CRM or marketing automation tool is connected.

Weekly automated monitoring of your email authentication configuration catches drift before it creates a window for attackers. DMARC report analysis tells you when new, unauthorized senders start using your domain — sometimes the first sign of a phishing campaign targeting your customers or partners using your brand.

📬

Get the EdgeIQ weekly security digest

Practical tips, new threat intel, and product updates. No spam — unsubscribe anytime.

✉️ Grade your email security in 10 seconds

EdgeIQ Inbox Shield scans your domain's SPF, DMARC, DKIM, MX, and BIMI configuration and gives you an instant A–F grade with a prioritized fix list. Subscribe for weekly monitoring alerts — get notified the moment anything changes. Free scan, no account needed.

Scan Your Domain Now →

Quick Reference

Email spoofing requires no account compromise — just a misconfigured or missing DMARC record
BEC attacks cost businesses $2.9 billion in 2025 — the top cybercrime category by dollar value
SPF and DKIM alone are not sufficient — DMARC at p=reject is required to block spoofing
~90% of SMB domains currently lack DMARC enforcement
Start with p=none to collect data, then move to p=reject after confirming all legitimate senders pass
Monitor weekly — email auth configurations drift as new tools are added