What to do if your company’s emails are being spoofed

Email spoofing represents one of the most persistent threats to business security. This guide provides a comprehensive action plan for organizations discovering their emails are being spoofed, from immediate response steps to long-term technical defenses that stop attackers from impersonating your domain.

• Email spoofing costs businesses $2.9 billion annually through Business Email Compromise attacks, making rapid response essential
• SPF, DKIM, and DMARC work together to create a three-layer authentication system that blocks spoofed emails at the server level
• Organizations can achieve full protection systematically by following a progressive implementation approach from monitoring to enforcement
• 50.2% of companies have DMARC enforcement, but 75% remain in monitoring mode without active blocking of spoofed emails
• Proper implementation maintains 95%+ delivery rates for legitimate emails while completely blocking domain impersonation attempts

1. Understanding email spoofing
2. Identifying the signs of email spoofing
3. Immediate actions to take
4. Implementing technical defenses
5. Setting up SPF, DKIM, and DMARC
6. Organizational strategies to combat spoofing
7. Training and awareness programs
8. Ensuring robust email protection with Red Sift
9. Frequently asked questions
10. References

Email spoofing involves forging the sender's address on emails to make messages appear as though they originate from a legitimate source within your organization. Attackers exploit weaknesses in email protocols to manipulate the "From" field, creating convincing impersonations that trick recipients into believing fraudulent messages are authentic.

The Simple Mail Transfer Protocol (SMTP), which governs email transmission, lacks built-in sender verification. This architectural limitation allows anyone with basic technical knowledge to send emails that appear to come from your domain. Spoofed emails serve various malicious purposes: phishing credentials, distributing malware, committing financial fraud, or damaging your organization's reputation.

According to the FBI's Internet Crime Complaint Center, Business Email Compromise attacks involving spoofed emails resulted in $2.9 billion in losses in 2023 [1]. These attacks target organizations of all sizes, with attackers impersonating executives, vendors, or trusted partners to manipulate recipients into transferring funds, sharing sensitive information, or compromising systems.

Recognizing email spoofing requires vigilance across multiple indicators. Organizations often discover spoofing through customer reports, bounced messages, or unusual email activity that doesn't align with internal sending patterns.

Organizations experiencing email spoofing typically observe four critical indicators:

1. Customer complaints about suspicious emails: Recipients reporting emails they never requested, often containing phishing links or unusual requests supposedly from your organization
2. Unexpected bounce-back messages: Your team receives non-delivery reports for emails they never sent, indicating someone is using your domain to send messages that subsequently fail delivery
3. Increased spam reports: A sudden rise in spam complaints or blacklist additions for your domain, even though your internal email practices haven't changed
4. Unusual authentication failures: DMARC reports (if implemented) showing high volumes of failed authentication attempts from IP addresses your organization doesn't use

Examine email headers to confirm spoofing. Check for authentication failures (SPF: fail, DKIM: fail, DMARC: fail), mismatched domains between "From" and "Return-Path," and unfamiliar originating IP addresses. Email security platforms provide dashboards that make this verification process accessible.

Discovering that your company's emails are being spoofed demands swift, coordinated response to contain the threat and protect stakeholders. Immediate action matters significantly in minimizing damage and preventing further exploitation.

Alert your security and IT teams

Immediately notify your information security team and IT administrators. Email spoofing incidents require technical expertise to investigate scope, implement defenses, and coordinate response activities. Establish incident command with clear roles for investigation, communication, and technical remediation.

Document the spoofing evidence

Collect examples of spoofed emails, including complete headers showing authentication failures and originating IP addresses. Document when spoofing was first detected, the volume of reported incidents, and any patterns in targeting or content. This evidence supports investigation efforts and may be required for law enforcement reporting.

Evidence collection checklist:

• Full email headers from multiple spoofed messages
• Screenshots showing sender information and content
• List of affected recipients with contact details
• Documentation of when spoofing was first detected
• IP addresses of originating servers
• Any financial transactions or data compromised

Notify affected stakeholders

Alert customers, partners, and employees about the spoofing activity. Clear communication prevents victims from falling for subsequent attacks and demonstrates your organization's commitment to security. Provide specific indicators people can use to verify legitimate communications, such as alternative contact methods or verification procedures.

Report to relevant authorities

File reports with law enforcement agencies including the FBI's Internet Crime Complaint Center (IC3) for Business Email Compromise incidents [2]. If spoofing involves financial fraud, coordinate with your bank's fraud department. Regulatory requirements may mandate additional reporting depending on your industry and jurisdiction.

Implement temporary protective measures

While working toward long-term technical solutions, implement immediate safeguards. These might include additional verification requirements for financial transactions, heightened employee awareness about suspicious emails, and enhanced monitoring of email authentication reports.

When notifying stakeholders about spoofing incidents, provide actionable guidance rather than creating unnecessary alarm. Effective notifications include:

• Specific description of what spoofed emails look like
• Clear instructions for verifying legitimate communications
• Alternative contact methods for confirming suspicious requests
• Implementation plan for technical defenses
• Regular updates as the situation evolves

Organizations should prepare communication templates in advance as part of incident response planning. Having pre-approved messaging enables faster response when incidents occur.

Technical email authentication protocols represent the most effective defense against email spoofing. These systems verify sender identity and instruct receiving mail servers on how to handle messages that fail authentication checks.

SPF (Sender Policy Framework): Defines which mail servers are authorized to send emails on behalf of your domain by publishing authorized IP addresses in DNS records. Learn more in our complete SPF and DKIM setup guide.

DKIM (DomainKeys Identified Mail): Adds cryptographic signatures to outgoing emails, allowing recipients to verify messages haven't been altered and originated from authorized systems.

DMARC (Domain-based Message Authentication, Reporting and Conformance): Builds on SPF and DKIM by specifying how receiving servers should handle messages failing authentication and provides reporting on authentication results.

Currently, only 50.2% of public companies have achieved full DMARC enforcement, while the majority remain in monitoring mode without actively blocking spoofed emails. Major email providers including Google and Yahoo now require authentication for bulk senders [3]. Read our guide on mastering Microsoft, Google, and Yahoo's bulk email sender requirements for comprehensive compliance guidance.

Implementing email authentication requires systematic configuration of DNS records and email systems. While the process involves technical steps, organizations of all sizes can successfully deploy these protocols with proper guidance.

SPF records specify which mail servers can send emails for your domain. Creating an effective SPF record requires identifying all legitimate email sources:

Inventory email sending sources

Document all systems that send emails using your domain:

• Internal mail servers
• Email marketing platforms (Mailchimp, Constant Contact, etc.)
• CRM systems (Salesforce, HubSpot, etc.)
• Transactional email services (SendGrid, Mailgun, etc.)
• Automated notification systems
• Third-party services sending on your behalf

Create your SPF record

Build an SPF TXT record listing authorized sending sources using IP addresses or include mechanisms for third-party services.

Example: v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all

This record authorizes your IP range and includes Google Workspace and SendGrid as legitimate senders, with -all indicating that all other sources should fail SPF checks.

Publish to DNS

Add the SPF record as a TXT record at your domain root. SPF records have a 10 DNS lookup limit, requiring careful management when multiple services are involved. Organizations with complex email environments may need to consolidate services or use SPF flattening techniques.

DKIM adds digital signatures to outgoing emails, providing cryptographic verification of message authenticity and integrity.

Generate DKIM keys

Create a public/private key pair through your email server or service provider. Most platforms provide automated DKIM generation tools.

Publish public keys

Add DKIM public keys to DNS as TXT records at designated selectors (e.g., selector1._domainkey.yourdomain.com).

Enable DKIM signing

Configure your email servers or services to sign outgoing messages with the private key. Verify signatures are being applied by sending test messages and examining headers.

DMARC ties SPF and DKIM together, defining policies for handling authentication failures and providing visibility into email authentication results.

Start with monitoring mode

Initial DMARC records should use policy p=none to collect data without affecting email delivery:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Analyze DMARC reports

Receiving mail servers send daily aggregate reports showing which emails passed or failed authentication. Analyze these reports to identify:

• Legitimate sources passing authentication
• Services requiring SPF or DKIM fixes
• Spoofing attempts from unauthorized sources

Progressively enforce policies

After confirming legitimate emails authenticate successfully, gradually move to enforcement. Our reaching DMARC enforcement guide provides detailed strategies for this critical transition.

• Quarantine policy: p=quarantine instructs receivers to treat failing messages as suspicious
• Reject policy: p=reject blocks failing messages entirely, providing maximum protection