How Attackers Spoof Your Domain for Phishing
Why does email have no built-in authentication?
SMTP (Simple Mail Transfer Protocol) was designed in 1982 for a small, trusted network of academics. Authentication was not a concern - there was no reason to lie about who sent a message.
The protocol carries two sender addresses:
- Envelope sender (Return-Path) - the technical address used for delivery and bounces
- Header From - the address displayed to the recipient in their email client
Neither address is verified by the protocol. A mail server can set both to anything. This design flaw is the foundation of all email spoofing.
What are the main email spoofing techniques?
Direct domain spoofing
The simplest form. The attacker sends email with your domain in both the envelope sender and the From header. Without SPF and DMARC, nothing stops this.
An attacker with access to any mail server - or using a scripting library like Python’s smtplib - can send email as [email protected] in minutes. No access to your email infrastructure is required.
This is the attack that DMARC with enforcement (p=reject) prevents. When a receiving server checks the email against your DMARC policy and finds that the sending server is not authorised (fails SPF) and the message is not signed (fails DKIM), the email is rejected before it reaches the inbox.
Display name spoofing
Instead of forging the technical sender address, the attacker uses their own domain but sets the display name to match your organisation:
From: "Your Company CEO" <[email protected]>Many email clients show only the display name, not the email address, especially on mobile. Recipients see “Your Company CEO” and trust the message.
SPF, DKIM, and DMARC cannot prevent this because the actual sending domain (malicious-domain.com) may have its own valid authentication. This attack requires user awareness training and email filtering rules.
Lookalike domain spoofing
The attacker registers a domain visually similar to yours:
yourcompany.coinstead ofyourcompany.comyourcornpany.com(replacing ‘m’ with ‘rn’)your-company.com(adding a hyphen)
Email from these domains passes all authentication checks because the attacker controls the DNS. Detection requires monitoring for lookalike domain registrations - not email authentication.
Subdomain spoofing
If your DMARC record only covers the root domain and does not specify a subdomain policy (sp=), attackers may spoof subdomains like support.yourdomain.com or billing.yourdomain.com.
Subdomains without their own SPF and DKIM records are particularly vulnerable. The fix is adding sp=reject to your root DMARC record to enforce policy on all subdomains.
Reply-to manipulation
The attacker sends email from a domain they control but sets the Reply-To header to your domain:
From: [email protected]
Reply-To: [email protected]If the recipient replies, the response goes to the attacker. This bypasses authentication because the From domain is the attacker’s own domain. Detection requires analysing Reply-To mismatches.
What is spoofed email used for?
Business email compromise (BEC)
Attackers impersonate executives, finance staff, or vendors to request wire transfers, payment redirections, or sensitive data. BEC caused over $2.7 billion in reported losses in 2023 according to the FBI’s Internet Crime Complaint Center.
A typical BEC attack: an email appearing to come from the CFO to an accounts payable team member, requesting an urgent wire transfer to a “new vendor account.” The spoofed From address and urgent tone create enough trust to bypass normal approval processes.
Phishing campaigns
Mass phishing emails spoofing trusted brands. An email from [email protected] directing customers to a credential-harvesting page is far more convincing than one from a random domain.
Vendor impersonation
Attackers spoof vendor domains to send fraudulent invoices with altered payment details. The recipient believes the invoice is from a known supplier because the email address matches.
Reputation damage
Spam and malware campaigns sent from your domain damage your email reputation, potentially causing your legitimate email to be filtered or rejected. Your domain may end up on email blacklists.
How SurfaceLoop handles this
SurfaceLoop validates SPF, DKIM, and DMARC configuration across all your domains and subdomains. It identifies domains without authentication, detects common misconfigurations, and tracks your DMARC enforcement status - so you know exactly which domains are protected and which remain spoofable.
See DNS & Email Spoofing feature →How does each protocol stop spoofing?
| Attack type | SPF alone | DKIM alone | DMARC (SPF + DKIM) |
|---|---|---|---|
| Direct domain spoofing | Partial (envelope only) | Partial (signature only) | Full prevention |
| Display name spoofing | No prevention | No prevention | No prevention |
| Lookalike domain | No prevention | No prevention | No prevention |
| Subdomain spoofing | Partial | Partial | Full (with sp=reject) |
| Reply-to manipulation | No prevention | No prevention | No prevention |
DMARC with enforcement stops direct domain spoofing - the most impactful attack type. Display name spoofing, lookalike domains, and reply-to manipulation require additional defences (user training, domain monitoring, email filtering rules).
What should you do right now to prevent domain spoofing?
-
Check if your domain has DMARC. Query
_dmarc.yourdomain.comfor a TXT record. If there is no record, your domain can be spoofed by anyone. -
If you have DMARC, check the policy. If
p=none, you are monitoring but not preventing spoofing. Our DMARC enforcement guide covers the path to enforcement. -
If you don’t have DMARC, deploy it today. Start with
p=noneand reporting enabled. Our SPF/DKIM/DMARC setup guide walks through the process step by step. -
Check all your domains. Not just your primary domain - every domain you own. Attackers target secondary domains, parked domains, and acquired domains that organisations forget to protect.
Frequently asked questions
- How easy is it to spoof an email address? +
- Trivially easy. The SMTP protocol does not verify sender addresses. Any mail server can send email claiming any From address. Without SPF, DKIM, and DMARC, there is no mechanism to detect or prevent this forgery.
- Can attackers spoof my domain even if I have SPF? +
- Yes, if you don't have DMARC enforcement. SPF alone only checks the envelope sender (Return-Path), not the visible From address. Attackers can bypass SPF by using their own domain in the envelope while spoofing yours in the From header. DMARC alignment closes this gap.
- How do I know if my domain is being spoofed? +
- Deploy a DMARC record with reporting enabled (rua= tag). Receiving servers will send you aggregate reports showing all email sent using your domain - including spoofed messages. Without DMARC reporting, you have no visibility into domain abuse.
- What is display name spoofing? +
- Display name spoofing uses a legitimate-looking display name (such as 'Your Company CEO') with the attacker's own email address. Many email clients show only the display name, especially on mobile devices, making it convincing. SPF, DKIM, and DMARC cannot prevent this because the sending domain is the attacker's own valid domain.
- What is the difference between direct domain spoofing and lookalike domain spoofing? +
- Direct domain spoofing forges the actual domain in the email From header and is preventable with DMARC enforcement. Lookalike domain spoofing registers a visually similar domain (like yourcornpany.com instead of yourcompany.com) that the attacker fully controls, so it passes all authentication checks and requires separate detection methods.
- Can DMARC prevent all types of email spoofing? +
- No. DMARC with enforcement prevents direct domain spoofing and subdomain spoofing, which are the most impactful attack types. However, display name spoofing, lookalike domain attacks, and reply-to manipulation require additional defences such as user awareness training, domain monitoring services, and email filtering rules.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.