Email Spoofing: Why Anyone Can Send Email "From" Your Domain
If you've ever received an email that appeared to come from a trusted company but turned out to be a scam, you've seen email spoofing in action. And if someone is sending fake emails using your business domain, the damage to your reputation can be severe.
Email spoofing is alarmingly easy. The email protocol (SMTP), designed in the 1980s, has no built-in way to verify that the sender is who they claim to be. Anyone with basic technical knowledge can send an email with any "From" address they choose — including yours.
The good news: three protocols — SPF, DKIM, and DMARC — were created to solve this problem. Together, they can stop email spoofing of your domain entirely. This guide explains how they work and how Australian businesses can implement them.
Is your domain being spoofed?
Check your email authentication status in seconds — free, no signup required.
Check My Domain Free →The Real-World Impact of Email Spoofing
Email spoofing isn't just a theoretical risk. Australian businesses face it regularly:
- Phishing attacks — criminals send emails from "your" domain to your clients, asking them to pay fake invoices or share login credentials
- Business Email Compromise (BEC) — attackers impersonate your CEO or finance team to trick staff into transferring funds
- Reputational damage — when recipients receive spam or malware "from" your domain, they lose trust in your business
- Deliverability problems — if your domain gets a bad reputation from spoofed emails, your legitimate emails start landing in spam
The ACSC (Australian Cyber Security Centre) regularly warns about spoofing campaigns targeting Australian organisations. High-profile examples include fake emails impersonating the ATO, myGov, and major Australian banks — all made possible by domains without proper email authentication.
The Three Protocols That Stop Email Spoofing
Stopping email spoofing requires three complementary protocols. Each addresses a different aspect of the problem, and you need all three for complete protection.
SPF — Who Is Allowed to Send?
Sender Policy Framework (SPF) is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks your SPF record to see if the sending server is on the approved list.
Think of SPF as a guest list for your domain's email. If the sender isn't on the list, the receiving server knows something is wrong.
However, SPF alone has limitations. It only checks the "envelope sender" (the technical return address), not the "From" header that users see. An attacker can use their own domain as the envelope sender while spoofing yours in the visible "From" address — and SPF won't catch it.
DKIM — Has the Message Been Tampered With?
DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing emails. The receiving server verifies this signature against a public key published in your DNS. If the signature matches, the email hasn't been altered in transit.
DKIM proves message integrity, but like SPF, it doesn't directly prevent spoofing of the "From" header on its own.
DMARC — What to Do When Checks Fail
Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together and adds the critical missing piece: alignment. DMARC checks that the domain in the visible "From" header matches the domain verified by SPF or DKIM.
DMARC also tells receiving servers what to do when authentication fails:
- p=none — deliver the email anyway (monitoring only)
- p=quarantine — send it to spam
- p=reject — block it entirely
And importantly, DMARC provides reporting. You receive daily reports showing who is sending email using your domain — both legitimate services and spoofing attempts.
Why You Need All Three
SPF without DMARC can be bypassed. DKIM without DMARC only proves integrity, not sender identity. DMARC without SPF and DKIM has nothing to align against.
The three protocols are designed to work together:
- SPF verifies the sending server is authorised
- DKIM verifies the message hasn't been tampered with
- DMARC verifies alignment between the visible sender and the authenticated sender, then enforces your policy
With all three properly configured and DMARC set to p=reject, spoofed emails using your domain will be blocked before they reach the recipient's inbox.
Find out if your domain is protected
Our free scanner checks all three protocols and tells you exactly what's missing.
Scan My Domain →Why Jumping Straight to p=reject Is Dangerous
If your domain currently has no DMARC record, you might think the fastest fix is to publish v=DMARC1; p=reject and be done with it. Don't do this.
Most businesses use multiple services that send email on their behalf — your email platform (Microsoft 365, Google Workspace), CRM (HubSpot, Salesforce), marketing tools (Mailchimp, SendGrid), accounting software (Xero), helpdesk (Zendesk), and more. Each of these services needs to be properly authenticated with SPF and DKIM.
If you enforce a reject policy before all your legitimate sending services are authenticated, their emails will be blocked. Your invoices won't arrive, your marketing campaigns will bounce, and your support replies will vanish.
The safe progression is:
- p=none — monitor for 2–4 weeks. Review DMARC reports to identify all services sending as your domain.
- Authenticate everything — ensure every legitimate service has correct SPF and DKIM configuration.
- p=quarantine — failing emails go to spam. Monitor for 2–4 weeks to catch any missed services.
- p=reject — full protection. Spoofed emails are blocked entirely.
How DMARC Busta Automates the Journey
Manually managing DMARC progression across even a handful of domains is tedious and error-prone. You need to read XML reports, identify sending services, configure SPF and DKIM for each one, and carefully progress your policy — all without breaking legitimate email.
DMARC Busta's Autopilot does this automatically:
- Connects to your DNS provider (Cloudflare, cPanel, AWS Route53) and makes changes directly — no manual DNS editing
- AI-powered source identification — automatically recognises and authenticates legitimate sending services
- Safe, gradual progression — moves from
p=nonethroughp=quarantinetop=reject, only advancing when it's safe - Automatic rollback — if issues are detected after a policy change, Autopilot reverts to the previous policy automatically
- Continuous monitoring — watches for new sending services, anomalies, and configuration drift
For businesses managing multiple domains — such as MSPs or organisations with multiple brands — Autopilot manages every domain independently, each progressing at its own safe pace.
What Does Full Protection Look Like?
When your domain is fully protected against email spoofing, you have:
- SPF record listing every authorised sending service, staying under the 10 DNS lookup limit
- DKIM signing configured for all outbound email services, with valid public keys published in DNS
- DMARC policy at
p=reject— any email that fails both SPF and DKIM alignment is blocked before reaching the recipient - DMARC reporting enabled — you receive daily aggregate reports showing authentication results for all email sent using your domain
At this point, an attacker who tries to send a phishing email pretending to be from your domain will have that email rejected by the recipient's mail server. Your clients, suppliers, and staff are protected from impersonation attacks using your domain.
How Long Does It Take?
The timeline depends on your starting point and complexity:
- Simple setup (one email service, e.g., Microsoft 365 only): 4–6 weeks from
p=nonetop=reject - Moderate setup (3–5 email services — email platform, CRM, marketing tool): 6–8 weeks
- Complex setup (10+ services, multiple brands, legacy systems): 8–12 weeks
DMARC Busta's Autopilot handles the progression automatically. The monitoring periods between policy changes are designed to catch any missed sending sources before they become a problem.
Australian Context
Email spoofing is a particularly acute problem in Australia. The ACSC recommends DMARC implementation as a key email security control. The SMB1001:2026 framework now requires DMARC at Level 2 and above. And multiple compliance frameworks are converging on DMARC as a baseline requirement.
Despite this, our research into Australian DMARC adoption found that the majority of businesses either have no DMARC record or are stuck at p=none — monitoring spoofing without actually preventing it.
Frequently Asked Questions
Can someone spoof my domain even if I have SPF?
Yes. SPF only checks the envelope sender (the technical return path), not the visible "From" address that users see. An attacker can use their own domain as the envelope sender while spoofing yours in the "From" header. Only DMARC with alignment checking prevents this, because DMARC verifies that the visible "From" domain matches the domain authenticated by SPF or DKIM.
Will DMARC break my legitimate email?
Not if you implement it correctly. Starting with p=none has zero impact on email delivery — it only enables reporting. The risk comes when progressing to p=quarantine or p=reject before all legitimate sending sources are authenticated. This is why gradual progression with monitoring is essential.
How do I know if my domain is being spoofed?
DMARC reports tell you. Once you publish a DMARC record with reporting enabled (the rua= tag), you'll receive daily aggregate reports from receiving servers like Google and Microsoft. These reports show every IP address that sent email using your domain, along with whether the emails passed or failed SPF and DKIM. Illegitimate sources — spoofers — show up as failures from IP addresses you don't recognise.
What about forwarded email?
Email forwarding can break SPF because the forwarding server isn't in your SPF record. This is why DKIM is important — DKIM signatures survive forwarding because they're attached to the message itself, not the sending server. With both SPF and DKIM configured, forwarded emails can still pass DMARC via DKIM alignment even when SPF fails.
Stop spoofing of your domain today
Start with a free scan, then let Autopilot take your domain to full protection automatically.
Check My Domain Free →Next Steps
- Scan your domain to see your current protection level
- Review the report — it shows exactly what's configured and what's missing
- Get started with DMARC Busta — free plan for monitoring, paid plans from $19/month for full Autopilot automation
If you're also dealing with email deliverability issues, read our guide on why emails go to spam and how to fix it. For technical details on SPF configuration, see our article on fixing SPF DNS lookup limits.
