What is Email Spoofing and how to protect your domain?

A couple of months ago an account in a company I was working with, got an email from an email marketing provider they were using with the subject line: "Your Invoice". The accountant opened the message and followed the link to download the invoice. The browser opened and a login box was displayed. She entered the login credentials and nothing more happened.

Two days later, the attacker used the login data, to send spam emails to over 1 million contacts. 💣 Booom!

Check out our free Email tester to validate your email setup.

What is email spoofing?

Email spoofing describes emails, that look like they were sent by a known or trusted sender. Usually, it’s a tool of a phishing attack, designed to take over your online accounts, send malware, or steal funds.

Each email comes with an envelope (the message header), that contains information about the sender and recipient. Attackers modify the message header and fake the sender's address.

The email looks like it was sent from a trusted source.

How to protect your domain?

The good news is, that you can protect your business domain from email spoofing. The foundation is the Simple Mail Transfer Protocol (SMTP). This is the protocol every email server speaks. The problem with SMTP: It doesn't require any authentication and there is no mechanism to detect a fake identity.

Therefore a couple of additional standards got established to protect email domains:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication (DMARC)

Those additions are effective ways to protect your domain when set up correctly. With SPF you can list email servers that you allow to send emails for your domain and how to handle emails from unknown servers.

Learn more insights about how the Sender Policy Framework (SPF) in this article.

DKIM is a digital signature for your emails to prove their sender's authenticity. The sender system adds a digital signature to the message header. The recipient system looks up the public key published on the domain's nameserver to verify the correctness.

DMARC is supported by all major email providers. You publish instructions on your domain's nameserver on how to handle SPF and DKIM failures. You can also specify email addresses to get regular reports and feedback about unauthenticated messages.

Read more about DMARC and how to use it in this article.

The thing with the Return-Path

A Return-Path is the designated email address where bounced messages and other email feedback are sent. So, if an outbound email can’t be delivered, it’ll end up at the Return-Path, which is specified by the Return-Path header in an email and invisible to other parties.

Here’s the thing, though: SPF does not validate against the From domain. Instead, it looks at the Return-Path value and uses it to validate the originating server. This means an email can pass SPF regardless of whether the From address is fake.

Here is an example:

Imagine you are sending an email from your company domain company.com. You are using an ESP which is sending emails via esp.com. To get notified of bounces the Return-Path of the emails are using something like bounces@esp.com. Since SPF uses the Return-Path your messages are still valid, regardless of your own SPF record. If you use DMARC, those messages would be seen as invalid, because it fails the SPF alignment check.


Email spoofing describes emails, that look like they were sent by a known or trusted sender. It's a dangerous threat to your business. With the right email configuration, you can lower the risk significantly and make sure, that no unauthenticated emails are sent in your name.

Use our free Email tester to validate your email setup.

Ready to dive in?Start your free trial today.