Domain Spoofing

Someone Is Using Your Domain to Send Emails. Here's How to Stop It.

Without DMARC, anyone on the internet can send email pretending to be your business. Your customers receive it. You get the blame.

Free · No account needed · Results in seconds

Inbox — john@yourclient.com

Notion9:12 am

Your weekly digest is ready

billing@yourcompany.com10:04 am

ACTION REQUIRED: Overdue invoice

Your account will be suspended unless payment is received by...

Stripe8:30 am

Payment of £1,240 received

Delivered without authentication — no DMARC on yourcompany.com

The moment you found out

How Did You Find Out?

Most people arrive here because something already went wrong. One of these will be familiar.

A customer reported it

A customer contacted you about a suspicious email they received from your address. You didn't send it. They want to know why it came from you.

You're getting bounce-backs

You're receiving undeliverable notices — replies and failed delivery messages for emails you never wrote. Your domain is being used as a return address.

A scan flagged it

A security scan, IT provider, or cyber insurance questionnaire told you your domain has no DMARC record — and you realised you didn't know what that meant.

Whichever one brought you here — the problem is the same. Your domain has no protection, and anyone can use it to send email. The good news is that it's fixable today.

Root cause

Email Was Built With No Identity Check

When email was designed in the 1970s, the people who built it assumed everyone using it was doing so legitimately. So they didn't build any verification into the protocol.

What that means today: any mail server, anywhere in the world, can put your domain name in the From field and send. Gmail receives it. Outlook receives it. Your customer receives it.

The only thing that changes this is a set of DNS records you control — SPF, DKIM and DMARC. Without them, the instruction to reject never comes, and the spoofed email delivers.

It's like the postal system letting anyone write your return address on an envelope. Without DMARC, there's nothing stopping them.

Attacker's mail server

Anywhere in the world

FROM: billing@yourco.com

no DMARC → delivers

Gmail / Outlook

Receiving mail server — no policy to enforce

No policy

delivered to inbox

john@yourclient.com

Sees your domain in the From field

Inbox ✓

Without DMARC — the spoofed email delivers as if it were real

The attack sequence

What Actually Happens When Your Domain Is Unprotected

This sequence takes under a minute from the attacker's side. The damage lasts far longer.

Attacker copies your domain

Your domain name is public — it's on your website, your email signature, your Google listing. Anyone can paste it into any mail server in seconds.

The email sends and delivers

No DMARC record means no instruction to block it. Gmail, Outlook and Yahoo deliver the email without question. The attack costs the attacker nothing.

Your customer sees your name

The From field shows your exact domain. There's no visual indicator that it didn't come from you. It looks exactly like your business sent it.

The damage starts accumulating

Your customer follows the fraudulent instructions — or reports it as spam. Spam reports accumulate on your domain. Your real emails begin going to junk.

The longer this continues, the harder it is to recover. Spam reports accumulate and your genuine emails — invoices, quotes, follow-ups — start landing in junk folders.

The solution

Three DNS Records. That's All It Takes.

SPF, DKIM and DMARC work as a set — you need all three configured correctly for full protection.

SPF

Sender Policy Framework

SPF tells every mail server on the internet which servers are authorised to send from your domain. If the sender isn't on your list, the check fails.

Example record

v=spf1 include:_spf.google.com ~all

DKIM

DomainKeys Identified Mail

DKIM puts a cryptographic signature on every email you send. If someone sends email pretending to be from your domain, the signature won't match. Receiving servers can tell immediately.

Example record

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B…

DMARC

Domain-based Message Authentication

DMARC ties SPF and DKIM together. It tells Gmail and Outlook what to do when an email fails authentication — quarantine it or reject it outright. It also sends you daily reports.

Example record

v=DMARC1; p=reject; rua=mailto:r@yourdomain.com

Check All Three Records on Your Domain — Free

Risk escalation

The Longer You Wait, The Worse It Gets

Domain spoofing isn't a one-off event. Once attackers find an unprotected domain, they use it repeatedly.

94%

of cyberattacks start with email

Your customers stop trusting you

Once someone receives a convincing fake email from your domain, they question every future email you send. That uncertainty is almost impossible to undo.

35%

average drop in deliverability after prolonged spoofing

Your real emails go to spam

Every spoofed email reported as spam adds a mark against your domain's reputation. Gmail and Outlook eventually start filtering your legitimate emails into junk.

£4.2M

average cost of a phishing breach

Insurance claims can be denied

Insurers increasingly treat SPF, DKIM and DMARC as a baseline requirement. No protection when a breach occurs? The claim can be rejected. It's in more policies every year.

Free domain check

Find Out If Your Domain Is Protected

Enter your domain. DMARClytics checks SPF, DKIM and DMARC and returns a plain-English result — not a wall of DNS output you'd need an IT background to read.

Is SPF correctly configured?

Is DKIM signing your emails?

Is DMARC set up and enforcing?

Plain-English result. No jargon.

No account required · Free · Results in seconds

Questions & answers

Common Questions

Can I actually stop someone from sending emails from my domain?

You can't stop them attempting it — the email protocol doesn't allow for that. But with DMARC set to p=reject, Gmail, Outlook, Yahoo and most other providers will automatically reject any email from your domain that hasn't been authenticated by your SPF and DKIM records. The fake emails never reach anyone. The attempt becomes pointless, and attackers move on.

Will fixing this break the emails I'm already sending?

Only if you skip the monitoring phase. DMARClytics starts you on a p=none policy, which means you get the reports and visibility without enforcing anything yet. You can see every source sending email from your domain — including your CRM, your marketing tool, your invoicing platform — before you lock anything down. Once you know everything legitimate is covered, you move to enforcement. No surprises.

Do I need an IT person to set this up?

No. DMARClytics is built for business owners and operations teams, not IT departments. It tells you what records are missing, gives you the exact values to add to your DNS, and walks you through where to add them in GoDaddy, Cloudflare, Namecheap or wherever your domain is managed. Most businesses have basic protection in place within a day.

How do I know if someone is already doing this to my domain right now?

Run the free check below. If your DMARC record is missing or set to p=none without any reporting set up, you have no visibility into what's being sent from your domain — legitimate or otherwise. Statistically, most domains without DMARC are being spoofed within months of registration. If you haven't looked, assume there's already a problem.

Stop the Spoofing. Protect Your Domain Today.

DMARClytics sets up DMARC monitoring in minutes, shows you every sender using your domain, and guides you to full enforcement — step by step.

Start Free Monitoring →See How It Works

No credit card required · Free plan available · Setup in under 5 minutes