Email spoofing is trivially easy — SMTP allows anyone to put any address in the From field. Without authentication records, your domain can be used to send phishing email without your knowledge.
How Spoofing Works
SMTP's MAIL FROM and the email's From header are separate fields. An attacker can set From: ceo@yourcompany.com while routing through their own server. Without DMARC, the receiving server has no way to verify the From address is legitimate.
Real-World Damage
- Phishing attacks targeting your customers, partners, or employees
- Brand reputation damage when recipients see emails "from you" that are clearly fraudulent
- Legitimate emails from your domain being blocked because spoofed messages from your domain damaged your reputation
The Complete Fix
- SPF — defines authorized sending servers. Blocks server-level spoofing.
- DKIM — cryptographic signature that proves message wasn't tampered with. Survives forwarding.
- DMARC with p=reject — the final layer. Instructs receivers to reject emails failing authentication AND that their From domain matches your domain.
Verify Your Protection
Send a test email to check.spamhaus.org or use mail-tester.com to verify all three records pass. Check that DMARC shows "dmarc=pass" in headers.
BIMI: Bonus Benefit of DMARC Enforcement
Once you have p=quarantine or p=reject DMARC, you can add BIMI to display your brand logo in Gmail and Yahoo Mail — making legitimate emails instantly recognizable and harder to spoof visually.
After protecting your domain, build inbox placement reputation →