Blog

A glowing blue digital envelope with a padlock icon, symbolizing secure or encrypted email communication, is displayed on a pixelated screen background.
Managed IT Services Security

How to Stop Someone From Sending Email in Your Company’s Name

Without any special tools or technical skill, a stranger can send an email that appears to come from your company. Your domain in the From line. Your logo in the body. A short, reasonable request: pay this invoice, or update the account we send payments to.

That is email spoofing. It is one of the most common opening moves in fraud aimed at your clients and suppliers, and it works because most people trust the name they see in their inbox.

Three settings on your domain make it much harder to pull off. They are called SPF, DKIM, and DMARC. Most businesses have one or two of them in place and the third either missing or only half configured. That gap is usually all a spoofed message needs to slip through.

Here is what each one does, the setting most businesses get wrong, and how to check your own domain.

Why anyone can send email in your name

Email was designed in a more trusting era. The system that carries mail from one server to the next does not, on its own, confirm that the sender is who they claim to be.

Picture the From address like a return address someone writes on an envelope by hand. You can put any name in the corner, drop the envelope in the mailbox, and it still gets delivered. Nobody at the post office checks whether that name is real.

Spoofing works the same way. Someone puts your domain in the From field, sends the message, and unless your domain is set up to stop it, the receiving mail server has no reason to doubt it. The message lands in your client’s inbox looking like it came from you.

This is not a fringe concern. CISA, the federal agency responsible for U.S. cybersecurity, names domain spoofing as a routine way attackers launch phishing, and points to SPF, DKIM, and DMARC as the defense.

The three records that shut spoofing down

SPF, DKIM, and DMARC are three DNS records that work together to prove a message really came from your domain. You add them once, at your domain registrar or DNS host, and receiving mail servers check them on every message you send.

SPF: the list of who is allowed to send

SPF (Sender Policy Framework) is a published list of the mail servers allowed to send email for your domain. When a receiving server gets a message claiming to be from you, it checks whether the sending server is on that list. A server that is not on the list gets flagged.

DKIM: the tamper-proof signature

DKIM (DomainKeys Identified Mail) adds a signature to every message you send. Your mail server signs outgoing email with a private key, and the matching public key lives in your DNS. The receiving server checks the signature to confirm two things: the message really came from your domain, and nobody altered it in transit.

DMARC: the rule that ties it together

DMARC (Domain-based Message Authentication, Reporting and Conformance) does two jobs. First, it tells receiving servers what to do when a message fails the SPF and DKIM checks. Second, it confirms that the domain in the visible From address matches the domain that SPF and DKIM verified, which is the part that stops someone forging your exact address.

It also sends you reports showing every source using your domain to send mail, including the ones that should not be.

The DMARC setting most businesses get wrong

DMARC has three policy settings, and picking the wrong one is the single most common mistake we see.

  • p=none tells receiving servers to do nothing when a message fails. It monitors and reports, and that is all. Your domain can still be spoofed.
  • p=quarantine tells them to route failing messages to the junk folder.
  • p=reject tells them to block failing messages before they ever reach the inbox.

Here is the trap. A business sets DMARC to p=none, watches the reports roll in, and never moves past it. At p=none you get visibility, but your domain still is not protected. Real protection starts at quarantine or reject.

CISA’s own guidance treats p=none as a temporary step on the way to reject, not a finish line. Its directive for federal agencies calls a reject policy the strongest protection against spoofed mail, because unauthenticated messages get stopped at the mail server before delivery.

For medical and dental practices, this one is worth a second look. CISA’s guidance for the healthcare sector specifically recommends moving DMARC from p=none toward reject to keep spoofed mail away from patients and staff. If your practice handles PHI, a domain sitting at p=none is a gap worth closing.

What these records do not stop

SPF, DKIM, and DMARC stop someone from forging your exact domain. There are two things they do not catch, and both are worth knowing.

  • Lookalike domains. Someone can register a domain that resembles yours, such as yourcompany-invoices.com, or yourcompany.co instead of .com, and send from that. Your records protect your real domain, not a different one the attacker owns.
  • Display-name spoofing. The name shown in the From line can read “Your Company Billing” while the actual address behind it is a throwaway Gmail account. DMARC checks the domain, not the display name.

Law firms tend to run into both around wire instructions. A message that looks like it is from a client or a title company, sent from a lookalike domain, asking to redirect closing or settlement funds, is one of the more expensive versions of this scam. The records do not catch it, so the habit has to.

That habit is the same one that catches any phishing attempt: read the full email address instead of the display name, and verify any request to change payment or banking details by calling a number you already have on file, never the number printed in the email.

Why this matters even if you never send bulk email

Two reasons.

The first is protection. These records stop someone from impersonating your domain to your clients, your vendors, and your own staff.

The second is deliverability, and this one now touches everyone. The major mailbox providers have started requiring authentication from anyone sending in volume.

  • Since February 2024, Google and Yahoo have required bulk senders, meaning those sending more than 5,000 messages a day to their users, to have SPF, DKIM, and DMARC in place.
  • In May 2025, Microsoft began enforcing the same requirement for high-volume senders to Outlook.com and Hotmail, and chose to reject non-compliant mail outright rather than quietly drop it in the junk folder.

Even well below those thresholds, a domain with proper authentication is simply more likely to reach the inbox than the spam folder. So this is not only a security setting. It is part of whether your everyday email gets delivered at all.

How to check and fix your domain

You can get a rough read on where you stand without touching anything technical. Several free DMARC and SPF checkers let you type in your domain and see which records exist. That tells you whether the records are present, though not whether they are configured correctly, which is where most of the real problems hide.

Fixing them properly is a job for whoever manages your IT or your domain. The records live in your DNS, and a mistake can send your own legitimate email to spam, so the rollout is done in stages.

  1. Publish SPF and DKIM so every one of your real mail sources is covered.
  2. Add DMARC at p=none and read the reports until you are confident your legitimate mail is passing.
  3. Move DMARC to p=quarantine, then to p=reject, once the reports are clean.

This gradual path is the one CISA recommends: start at none, confirm your good mail passes, then tighten. Done in order, you protect the domain without knocking out your own email on the way.

If you want a hand with it

If you would rather not sort through DMARC reports yourself, or you just want a second set of eyes to confirm your SPF, DKIM, and DMARC are set up the way they should be, that is the kind of thing we handle for the practices and firms we work with. If it would help to talk it through, you can reach us at (407) 720-6540.

Frequently asked questions

What is email spoofing?

Email spoofing is when someone sends a message with your domain in the From address so it looks like it came from your company. It is used to trick your clients, vendors, or staff into paying fake invoices, changing bank details, or handing over information they should not.

What are SPF, DKIM, and DMARC in plain terms?

SPF is a list of the servers allowed to send email for your domain. DKIM is a signature that proves a message came from you and was not altered along the way. DMARC ties the two together, tells receiving servers what to do with mail that fails, and reports who is sending email using your domain.

Does DMARC stop every kind of impersonation?

No. DMARC stops someone forging your exact domain. It does not stop lookalike domains such as yourcompany-invoices.com, and it does not stop display-name spoofing, where the sender’s name reads like your company but the address behind it belongs to someone else. Those still come down to staff awareness and a habit of verifying payment changes by phone.

Will turning on DMARC block my own email?

Not if you roll it out in order. Starting at p=none lets you watch the reports and confirm your legitimate mail is passing before you move to quarantine and then reject. Jumping straight to reject without checking first is what causes trouble.

Do I need these records if I barely send any email?

Yes. They protect your domain from being spoofed no matter how little mail you send, and they help the mail you do send reach the inbox. Google, Yahoo, and Microsoft all expect proper authentication now, and mail without it is more likely to be filtered.