Email Spoofing Protection

What is this?

Email spoofing is when someone sends an email that looks like it's from your domain - but isn't. It's trivially easy to do: email's core protocol (SMTP) doesn't verify the sender by default. Without additional protections, anyone can claim to be from [email protected].

The three defenses work together:

• SPF - lists which servers are allowed to send as you
• DKIM - adds a cryptographic signature to emails from your authorized servers
• DMARC - tells receivers what to do when email fails SPF or DKIM, and sends you reports

Why it matters

Spoofed emails from your domain can:

• Send phishing emails to your customers, tricking them into giving up passwords or payment details
• Damage your brand reputation - users get suspicious emails "from you" and lose trust
• Get your domain blacklisted, affecting your own email deliverability
• Be used in business email compromise (BEC) attacks, one of the most costly types of cybercrime

How to fix it

1. Add an SPF record - TXT record at your root domain listing your sending services
2. Enable DKIM - in your email provider dashboard; they'll give you a TXT record to add
3. Add a DMARC record - TXT record at _dmarc.yourdomain.com with p=quarantine or p=reject

In order of priority: DMARC first (biggest impact), then SPF, then DKIM. All three together give complete protection.

Providers & tools

Check each service's documentation for DKIM/SPF setup:

• Google Workspace: Admin Console → Apps → Gmail → Authenticate email
• Resend: resend.com → Domains → your domain → DKIM records
• Postmark: Account → Sender Signatures → your domain → DKIM
• Microsoft 365: Defender portal → Email authentication settings