Short answer. Email spoofing is sending mail as your domain without your knowledge — the foundation of phishing and BEC attacks. You can stop it only with all three mechanisms together: SPF (who is allowed to send), DKIM (a cryptographic signature) and DMARC (what to do with failures, plus alignment with the visible From domain). The goal is a p=reject DMARC policy.
How spoofing works
The SMTP protocol historically does not verify who is in the sender field. An attacker simply puts your domain in From and the message looks genuine. The victim sees a familiar name, trusts it, and clicks a link or pays a fake invoice. Without authentication there is no defense.
Three layers of protection
- SPF — a list of authorized sending servers.
- DKIM — a digital signature proving integrity and origin.
- DMARC — a policy on top of SPF and DKIM plus alignment with the visible From domain.
SPF and DKIM alone do not block spoofing: SPF checks the envelope, not the visible From; DKIM proves a signature but does not require the domain to match. Only DMARC ties the checks to what the user actually sees.
Real records for the stack
# 1. SPF — who is allowed to send:
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
# 2. DKIM — public signing key:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
# 3. DMARC — reject forgeries:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s"
# Verify all three:
dig +short txt example.com
dig +short txt selector._domainkey.example.com
dig +short txt _dmarc.example.comThe path to p=reject
| Stage | Policy | What happens |
|---|---|---|
| 1. Observe | p=none | Collect reports, nothing is blocked |
| 2. Quarantine | p=quarantine | Forgeries go to spam |
| 3. Protect | p=reject | Forgeries rejected at receipt |
Move top=rejectgradually: start atp=noneand analyze DMARC reports so you do not block your own legitimate sending services.
Additional measures
- Strict alignment
adkim=sandaspf=sfor tight domain matching. - BIMI — your brand logo in mailboxes once you reach p=reject (extra trust signal).
- Train staff to recognize phishing and verify the sender address.
- Monitor DMARC reports for unknown sources appearing.
How enterno.io helps
The /email-check tool checks the whole SPF + DKIM + DMARC stack at once and shows whether the domain is protected against forgery or the policy is still p=none. On Pro+ you can upload DMARC aggregate (RUA) reports to see who is sending as you. enterno diagnoses and monitors the setup — DNS records are edited by the owner, and enterno does not send email. Free: 10 monitors, 48+ tools and a DNS check.
FAQ
Will DMARC alone protect me without SPF and DKIM?
No. DMARC relies on SPF and DKIM results. Without at least one of them passing with alignment, DMARC cannot authorize your mail and legitimate email suffers too.
How is spoofing different from phishing?
Spoofing is the technique of forging the sender address. Phishing is the goal: to steal data or money. Spoofing is often used as a tool for phishing.
Can a domain with p=reject still be spoofed?
Forging the From field with an aligned domain — no, such mail is rejected. Attackers switch to look-alike domains (typosquatting), so also watch for similar names.
Check your protection: run /email-check and take DMARC to p=reject. See also reading DMARC reports and SPF explained.