Email spoofing is a method of impersonating corporate email addresses, used by cybercriminals for fraud and data theft. To effectively protect yourself against it, it is worth configuring the appropriate DNS records. In this article, I briefly explain what and how to do it.
What happened? – a real-life story
Recently, one of my long-time clients reached out to me with an unusual problem. They received an email in which someone impersonated their corporate domain and sent a fake invoice. The issue was that the sender’s address looked strikingly similar to their real business email—differing by just a few letters.
The client received a message stating: “Attached is an urgent invoice for payment, please process it first thing in the morning with an express transfer.” The email was sent from john.doe@abc.com, while the client’s actual email address was j.doe@abc.com. The recipient could easily overlook the subtle difference in the address, making this type of attack particularly dangerous. I received the question “How is it possible that someone sent an email from our domain if we never even created that address? And what can we do to protect ourselves from this?”
This is a classic example of an attack known as spoofing, which is becoming an increasingly common threat in business email communication.
What is spoofing?
Spoofing is a technique used by cybercriminals to impersonate another sender. In the case of emails, this means that an attacker can send a message that appears to come from your domain—even though they actually have no access to your email inbox.
It’s a bit like a fake delivery—someone sends a package and signs it with your name. The recipient sees familiar sender details, but in reality, you have nothing to do with that message. This technique is used for purposes such as:
- sending fake invoices to steal money,
- phishing, or attempts to steal login credentials,
- spreading malware through email attachments,
- damaging trust in your brand and company.
The good news is that you can effectively protect your domain against spoofing.
How to protect yourself from spoofing?
The most important step is to properly configure your domain’s DNS settings. To do this, it is advisable to contact your IT administrator or email provider and ensure that three key security mechanisms are correctly set up for your domain:
- SPF
(Sender Policy Framework)– defines which servers are allowed to send emails on behalf of your domain. - DKIM
(DomainKeys Identified Mail)– adds a digital signature to outgoing emails so that the recipient can verify whether the message has been altered in transit. - DMARC
(Domain-based Message Authentication, Reporting & Conformance)– integrates SPF and DKIM while allowing you to define what should happen to messages that fail authentication (e.g., they can be rejected or marked as spam).
SPF, DKIM, and DMARC from a technical perspective
If you have access to your domain’s DNS management panel, you can manually add the appropriate records. Here is a detailed guide for each of them:
SPF – Defining Authorized Mail Servers
SPF is a mechanism that specifies which mail servers are allowed to send messages on behalf of your domain. To check if your domain already has an SPF record configured, you can use a tool like MXToolbox and enter your domain in SPF Record Lookup category.
An example SPF record for a domain managed by Google Workspace looks as follows:
include:_spf.google.com– means that Google servers are authorized to send emails.~all– indicates that all other servers are considered suspicious (you can use-allto completely block them).
v=spf1 include:_spf.google.com ~allDKIM – Signing Emails with a Digital Key
DKIM (DomainKeys Identified Mail) adds a unique signature to each email message, allowing the recipient to verify whether the email comes from an authorized source. For Google Workspace, you can generate a DKIM key in the Google Admin Console: go to Admin Console > Apps > Google Workspace > Gmail > Email Authentication. Then click Set up DKIM to generate a key, and finally, add the generated DKIM record to your domain’s DNS settings.
Below is an example DKIM record:
domainkey._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSI..."DMARC – Policy for Protection Against Spoofing
DMARC allows you to define what should happen to emails that fail SPF and DKIM authentication on the recipient’s side. Below is an example DMARC record, with the following parameters:
p=none– enables monitoring but does not block suspicious emails,p=quarantine– sends suspicious emails to the spam folder,p=reject– completely rejects unauthorized emails.
It is recommended to start the DMARC configuration with p=none to monitor messages before implementing stricter blocking policies.
_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com"