Email spoofing is exactly what it sounds like: someone sends an email that appears to come from your domain - your company name, your From address - without your knowledge or consent. The recipient sees your brand. The email is not from you. The damage can be severe.
How Email Spoofing Works
The Simple Mail Transfer Protocol (SMTP) - the technical foundation of email - was designed in an era when the internet was a small, trusted network. It has no built-in verification that the sender is who they claim to be. The "From" field in an email is just a header, and anyone with access to an SMTP server can write whatever they want in that field.
This means that right now, without any action on your part, a scammer could send thousands of phishing emails that appear to come from billing@yourcompany.ca. Victims click a fake invoice link, enter their credit card details, and never suspect the email was fraudulent - it had your domain on it.
Why It Matters for Your Business
The consequences of email spoofing extend well beyond the immediate victims:
Reputation damage - If emails pretending to be from your domain are flagged as spam or reported as phishing, major email providers start treating legitimate mail from your domain with suspicion.
Blacklisting - Mail servers that receive enough complaints about a domain can add it to real-time blacklists (RBLs). Once blacklisted, even your authentic emails may not reach customers' inboxes.
Customer trust - If clients receive a fraudulent invoice "from you" and pay it, the financial and relationship damage can take months to repair.
The Three Technical Defenses
Three DNS-based authentication standards work together to defeat spoofing. Each plays a different role.
SPF (Sender Policy Framework) is a DNS record that lists the mail servers authorized to send email on behalf of your domain. When a receiving server gets a message claiming to be from your domain, it checks your SPF record. If the sending server is not on the list, the message can be flagged or rejected.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server verifies the signature against a public key published in your DNS. This confirms the email has not been altered in transit and that it originated from an authorized source.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication - deliver it, quarantine it, or reject it. It also enables reporting, so you receive data about who is sending email using your domain.
Starting with DMARC in Reporting Mode
The safest way to implement DMARC is to start with a policy of p=none. This means DMARC is active and generating reports, but failing messages are still delivered. You can see what is going on before you enforce anything.
A minimal reporting-mode DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.ca
Add this as a TXT record at _dmarc.yourcompany.ca. Within a few days, you will start receiving aggregate reports from major mail providers showing which sources are sending email using your domain and whether those messages are passing or failing authentication.
Once you have reviewed the reports and confirmed that all your legitimate sending sources (your email host, your newsletter tool, your CRM) are passing authentication, you can tighten the policy. Move to p=quarantine (failing messages go to spam) and eventually p=reject (failing messages are blocked entirely).
Monitoring DMARC Reports
DMARC aggregate reports arrive as XML files, which are not human-readable on their own. Several free and paid tools parse them into dashboards:
- MXToolbox DMARC Analyzer - free tier available, clear interface
- DMARC Digests - simple weekly email summaries, good for smaller domains
- Postmark's DMARC Tool - straightforward free option for basic monitoring
Check your reports at least monthly during the enforcement ramp-up period. Look for unknown sources sending under your domain - these are either misconfigured internal tools you need to add to your SPF record, or active spoofing attempts you want to be blocking.
The Risk of Doing Nothing
A domain with no SPF, DKIM, or DMARC records is a domain that attackers can impersonate freely. Major email providers - Gmail, Microsoft 365, Apple Mail - increasingly treat unauthenticated mail with suspicion even when it is legitimate. Setting up these records is no longer optional for any domain used to send business email. It takes less than an hour and the protection is permanent.
