Defaults.Exposed › Glossary › Email spoofing

Email spoofing

Also known as: email impersonation, sender forgery, fake from address

Email spoofing is when someone sends email that looks like it came from your business — the same name, the same domain — to trick your customers or staff, and it's stopped by locking down your domain's email settings.

What it is

Email spoofing is faking the “from” address on an email. The way email was originally built, anyone can type any sender address they like — there’s nothing forcing the “from” line to be true. So a scammer can send a message that appears, to the recipient, to come straight from your business.

It’s not hacking your account or breaking into anything. They don’t need your password. They simply forge the label on the envelope.

Why it matters to your business

Spoofing is the engine behind most email scams aimed at — or using — your business. A spoofed email from “you” can send a customer a fake invoice with the criminal’s bank details, or ask your bookkeeper for an urgent payment “from the owner.” Because the message genuinely looks like it came from your domain, it slips past people’s instincts.

The damage lands on you: lost money, an angry customer, and a reputation hit when people realise your name was used. The good news is that spoofing of your exact domain is preventable — it’s a settings problem, not a mystery.

How to tell / what to do

The defence is the trio of email settings — SPF, DKIM, and especially DMARC set to reject. Together they tell the world’s mail providers to throw away email that fakes your domain. Our free checker shows whether yours are in place and enforcing. The fixes are free. Start with the DMARC fix guide.

Want to fix this on your own domain? See the free guide →