In 2020, a finance employee at a mid-sized company received an email from their CEO asking for an urgent wire transfer. The email came from the CEO's exact email address. The writing style matched. The request, while unusual, wasn't implausible—they'd done emergency transfers before. The employee sent $200,000 to an account that turned out to belong to criminals in Eastern Europe.
The CEO had never sent that email. Someone had spoofed it.
Email spoofing is one of those attacks that seems like it shouldn't work in 2024. Surely we've figured out how to verify who sent an email? But the uncomfortable reality is that email was designed in an era of implicit trust, and that design still haunts us. Without explicit countermeasures, anyone can send an email claiming to be from anyone else.
Why spoofing is so easy
To understand why spoofing works, you need to understand how email actually works—and how different it is from what most people assume.
When you send a physical letter, the return address is just something you write on the envelope. The postal service doesn't verify it. You could write the White House as your return address, and the letter would be delivered without question. Email works the same way.
The 'From' address you see in your inbox is just a header in the email message. The sending server sets it to whatever it wants. There's no built-in verification that the server is authorized to send for that domain, or that the person sending actually controls that address.
This wasn't an oversight—it was a design choice. Early email networks were small, trusted communities. Everyone knew everyone. The idea that someone would lie about their identity wasn't a major concern. By the time the internet grew large enough for this to be a problem, the protocol was too entrenched to change.
The result is that spoofing an email requires no special tools or skills. You can do it with a few lines of code, or with freely available software, or even with some email clients' advanced settings. The barrier to entry is essentially zero.
The anatomy of a spoofed email
A spoofed email looks exactly like a legitimate email because, structurally, it is a legitimate email—just with false information in the headers.
The attacker sets the 'From' header to the address they want to impersonate. They might also set the 'Reply-To' header to their own address, so responses come to them instead of the impersonated sender. The 'envelope from' (used for bounce messages) might be different again.
Sophisticated attackers go further. They study the target's writing style and mimic it. They research the organization to make requests plausible. They time their attacks for when the impersonated person is traveling or otherwise unavailable to quickly deny sending the email.
The email travels through the attacker's mail server to the recipient's mail server. Without authentication checks, the recipient's server has no way to know the email is fraudulent. It delivers it to the inbox like any other email.
From the recipient's perspective, the email appears completely legitimate. The 'From' address is correct. There's no obvious sign of forgery. The only clues might be subtle—a slightly different tone, an unusual request, a reply-to address that doesn't match the from address. These are easy to miss, especially when you're busy.
The business impact
Spoofing enables several categories of attack, each with different targets and impacts.
Business Email Compromise (BEC) targets employees with access to money or sensitive data. The attacker impersonates an executive or trusted partner and requests wire transfers, W-2 forms, or confidential information. The FBI estimates BEC caused $2.7 billion in losses in 2022 alone—more than any other type of cybercrime.
Phishing campaigns use spoofed emails to steal credentials at scale. An email appearing to come from IT asks employees to 'verify' their passwords. An email from 'HR' links to a fake benefits portal. The spoofed sender domain makes these attacks far more convincing than obvious spam.
Reputation attacks use your domain to send spam or malware. Even if recipients don't fall for the attack, they associate the malicious email with your brand. Your domain ends up on blacklists. Your legitimate email deliverability suffers. Cleaning up the mess takes months.
Supply chain attacks target your customers or partners. Attackers send invoices from your spoofed domain with modified payment details. Or they send malware disguised as documents your company would plausibly share. Your relationships suffer even though you did nothing wrong.
Stopping spoofing with authentication
The good news is that email spoofing is a solved problem—technically. The solution is the authentication trifecta: SPF, DKIM, and DMARC.
SPF lets you publish a list of servers authorized to send email for your domain. When an email arrives claiming to be from your domain, the receiving server can check whether the sending server is on your list. If not, the email is suspicious.
DKIM adds a cryptographic signature to your emails. The signature proves the email came from someone with your private key and hasn't been modified in transit. Attackers can't forge this signature without access to your key.
DMARC ties it together by telling receiving servers what to do when SPF or DKIM fails, and requiring that the authenticated domain matches the visible 'From' address. With DMARC at 'reject' policy, spoofed emails are blocked before reaching the inbox.
The catch is that all three need to be properly configured, and DMARC needs to be at enforcement level (quarantine or reject). Many organizations have SPF and DKIM but leave DMARC at 'none'—which provides monitoring but no protection. It's like having a security camera but no locks.
The other catch is that authentication only protects your domain. It doesn't stop attackers from registering lookalike domains (yourcompany-secure.com) or using display name spoofing ('Your Company CEO <[email protected]>'). Defense in depth requires user education alongside technical controls.
What to do if you're being spoofed
If you discover your domain is being spoofed, the response depends on whether you have authentication in place.
If you have DMARC at enforcement, the spoofed emails are already being blocked by most major email providers. Your DMARC reports will show the attack—you'll see failed authentication from IPs you don't recognize. Monitor the reports, but the immediate threat is contained.
If you don't have DMARC enforcement, you're in damage control mode. Implement authentication as quickly as possible, but recognize that moving to enforcement takes time if you want to avoid blocking legitimate email. In the meantime, communicate with your customers and partners about the attack. Give them specific guidance on how to identify legitimate emails from you.
Either way, report the attack. If it's a BEC attempt, report to the FBI's IC3. If it's a phishing campaign, report to the Anti-Phishing Working Group. If the spoofed emails are being sent through a specific provider, report to their abuse team. None of this will stop the immediate attack, but it contributes to broader efforts against these threats.
Finally, use the incident to justify investment in email security. Spoofing attacks are visceral and easy to understand. They make a compelling case for the resources needed to implement proper authentication.
Frequently asked questions
Can spoofing be completely prevented?
Domain spoofing (exact impersonation of your domain) can be prevented with properly configured SPF, DKIM, and DMARC. Lookalike domains and display name spoofing require additional measures like domain monitoring and user training.
Why do some spoofed emails still get through?
Either the target domain doesn't have DMARC enforcement, or the receiving server doesn't check DMARC. Major providers like Gmail and Outlook enforce DMARC, but smaller providers might not.
How do I know if my domain is being spoofed?
DMARC reports show all email claiming to be from your domain, including spoofed messages. Without DMARC, you might only find out when recipients complain or when you end up on blacklists.
Is spoofing illegal?
Spoofing itself exists in a legal gray area, but the attacks it enables—fraud, phishing, impersonation—are illegal in most jurisdictions. Prosecution is difficult when attackers are overseas.