Defaults.Exposed

Defaults.ExposedRešenjaGuides

Someone Is Sending Emails From Your Domain: The Emergency Response Guide (2026)

Objavljeno 2026-07-08

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.

First check whether the fake emails use your exact domain or a lookalike, because the fixes are completely different. Exact-domain spoofing can be shut off in DNS — and most domains haven’t done it: 89.41% have no enforced DMARC policy, and 46.4% publish no SPF at all, according to the Defaults.Exposed census of 261,086,232 graded domains.

This is an incident checklist: first hour — confirm what’s happening without making it worse; first day — close the open door, or start the takedown if the door isn’t yours; first week — monitor, warn the people who might get burned, enforce. Just wondering whether this could happen? Start with can someone spoof my domain? — this page is for when it already is.

First: is it really your domain, or a copycat?

Get one of the fake emails and read the sender address character by character. Everything that follows depends on this:

What the From address showsWhat’s happeningYour path
[email protected] — your domain, spelled exactly rightSpoofing: a stranger’s server is forging your domain in the From line. Your systems are NOT hacked.DNS fix — SPF, DKIM, enforced DMARC. Path 1.
[email protected], yourcompany-billing.com, yourcompany.co — close, but not yoursA lookalike domain someone else registered. Your DNS is never consulted.Takedown + warnings. Path 2.
Your exact address, and the messages sit in your own Sent folder or reply to real threadsAccount compromise — someone is inside a real mailbox. A different incident.Change the password, revoke sessions, enable 2FA, check forwarding rules — before anything else.

Data as of 2026-06-29.

The bolded row is the most common and the most fixable. Email’s core protocol never verified the From line — anyone can type your domain into it — so the fix is publishing DNS records that let receivers check for themselves. The uncomfortable census numbers: 121,145,609 of 261,086,232 graded domains (46.4%) publish no SPF record at all, and 36,014 of the 138,927,207 domains that do publish SPF end it in +all — literally authorising the entire internet to send as them (data as of 2026-06-29).

The first hour: confirm, don’t react

  1. Run the free scan at defaults.exposed. Thirty seconds, no signup. It tells you whether your domain is currently spoofable — SPF present and strict or not, DMARC enforced or not — before you touch DNS.
  2. Don’t reply to the fake, don’t click anything in it, and don’t mass-email your contacts yet. A panicked “ignore emails from us!” blast from the same domain reads exactly like the scam. Warnings come later, targeted and out-of-band.
  3. Collect one full sample with complete headers. Ask a recipient to forward the fake as an attachment (Gmail: “Show original” → download; Outlook: “View message source”). A screenshot of the From line is not enough — the headers are the evidence for everything that follows.
  4. Read the verdict the receiving server already reached. In the headers, find Authentication-Results:dmarc=fail against your exact domain confirms spoofing of your domain; a lookalike in header.from= confirms path 2. One subtlety: receivers evaluate SPF against the Return-Path domain (the RFC5321.MailFrom, the bounce address), not the From header your recipient sees — a spoofed mail can even show spf=pass for the spammer’s domain while forging yours in From. DMARC’s alignment check closes exactly that gap.

Path 1 — it’s your exact domain: the first day

Spoofing your exact domain works only while your DNS says nothing that lets receivers reject it. Today you publish (or tighten) the three records; enforcement follows over the week.

  1. SPF: publish one record listing your real senders, ending in -all (“everyone else: fail”). If yours ends +all or ?all, fix that first — it’s an open door you published yourself. Walk-through: how to fix SPF, provider clicks at SPF on GoDaddy.
  2. DKIM: switch on domain signing in your email provider and any newsletter/invoicing tools (usually a couple of CNAME records each).
  3. DMARC: publish v=DMARC1; p=none; rua=mailto:... today so reports start flowing; p=reject is this week’s project, not this hour’s — full reference at how to fix DMARC. If the domain sends no legitimate email at all — an old brand, a parked domain — skip the caution and lock it down today: that old domain from your rebrand is a door you left open.

The honest caveat, before you relax: an enforced DMARC policy tells receiving servers to junk or reject exact-domain forgeries — and the big providers honor it. But it only binds receivers that check it, and it does nothing whatsoever about lookalike domains: once the crooks can’t send as yourcompany.com, registering yourcompany-billing.com costs a few euro. DMARC shrinks the attack; it doesn’t end the story — the first-week steps matter for you too.

Path 2 — it’s a lookalike: this is not a DNS fix

No record you publish on your domain affects mail from a domain you don’t own — nothing in your DNS is even looked at. The playbook is takedown plus warnings:

  1. Find who’s behind the lookalike. Look it up in RDAP/WHOIS (e.g. lookup.icann.org) to get its registrar, and check whether it hosts a website.
  2. Report it to the registrar’s abuse contact with your full-header sample attached — registrars suspend phishing domains every day; clear evidence makes it fast. A phishing site? Report it to the host, Google Safe Browsing and Microsoft SmartScreen too.
  3. Report the emails as phishing in the receiving mailboxes (Gmail/Outlook “Report phishing”) — this trains the big filters against the lookalike faster than any letter.
  4. Warn the likely targets out-of-band — the step that actually stops money leaving. Call or message (don’t just email) customers, suppliers and your bookkeeper: name the fake domain, and make any change of bank details “from you” verifiable by phone. That habit is the best defence against the invoice-fraud story you’ve heard.
  5. If the lookalike abuses your trademark, a UDRP complaint can transfer the domain — slower than a takedown, but permanent.

And run path 1 anyway: attackers rarely bother with a lookalike while the real domain is still open, and 89.41% of domains have no enforced DMARC (only 27,640,987 of 261,086,232 — 10.59% — do, as of 2026-06-29). Close your own door regardless.

The first week: monitor, warn, enforce

  1. Read your DMARC reports. Within a day or two of the rua= tag going live, aggregate reports show every server sending as your domain — your real ones and the spoofer, with volumes and verdicts. This is how you watch the attack die.
  2. Confirm your legitimate senders pass. Every real source (mail provider, newsletter tool, invoicing app, website contact form) must pass SPF or DKIM aligned to your domain before you enforce — otherwise reject blocks your own mail too.
  3. Ratchet DMARC to p=quarantine, then p=reject. Under active spoofing you compress the usual months into a week or two — but you compress the stages, you don’t skip them. The staged rollout, pct ramp and subdomain policy: from p=none to p=reject without losing legitimate email.
  4. Send one calm, targeted notice to counterparties who may have received fakes: what happened, what the fake asked for, the verify-by-phone rule for payment changes, and (path 2) the exact lookalike domain to block.
  5. Re-scan and keep the report. Insurers and customers increasingly ask what you did about email security; a dated, graded report answers in writing.

Frequently asked questions

I got a scam email from my own address. Have I been hacked? Almost always no — “from you, to you” extortion mail is the same forgery trick, exploiting the fact that your domain doesn’t reject fakes. Check your Sent folder and recent logins; if clean, it’s spoofing, and an enforced DMARC policy stops that variant at receivers that honor it. As of 2026-06-29, 89.41% of 261,086,232 graded domains haven’t done this.

Will DMARC stop the lookalike-domain emails? No. Your DMARC policy governs your exact domain (and its subdomains) only — a lookalike is somebody else’s domain with its own DNS, never checked against your records. Lookalikes are fought with registrar abuse reports, phishing reports and counterparty warnings, not DNS.

How fast will p=reject actually stop the spoofing? DNS changes reach receivers within hours, and Gmail, Outlook and most major providers enforce DMARC verdicts — exact-domain forgeries start dying the day the policy lands. Two honest limits: smaller receivers that never check DMARC may still deliver fakes, and enforcing before your own senders align blocks your legitimate mail — accelerate the stages, don’t skip them.

Send the owner the report

If you’re the IT contractor handling this: once the records are live, re-run the scan and forward the graded report to the business owner. It shows, in plain language, what let the spoofing happen, what you changed and where the domain stands now — the written answer to “are we safe now?”, and the evidence for the insurance renewal or customer questionnaire. If you’re the owner: ask for exactly that report, and keep the before and after.

Check whether your domain is spoofable free

See whether a stranger’s server can currently pass as you — and exactly what to fix — privately and owner-only.

Check your domain → · From p=none to p=reject → · Fix DMARC → · Can someone spoof my domain? → · Aggregate data only. Data stored and processed in the EU.