How email spoofing works

Why strangers can pretend to be you — and where DNS protections fit in.

Display name vs. real sender

Anyone can type your company name in the display field. What matters for blocking is whether the receiving mail system can verify that the sending server is allowed to use your domain. That verification uses public DNS records anyone can look up.

Three checks mail providers run

Approved senders (SPF) — Is this server on your published list?

Signature (DKIM) — Does the message carry a valid cryptographic signature tied to your domain?

Policy (DMARC) — If checks fail, should the message be rejected, quarantined, or allowed?

When these are missing or weak, impersonation is much easier.

Why this is a DNS problem

Your website host and your email host are separate. Protections live in DNS TXT records at your domain registrar or DNS provider — not inside your inbox settings alone.

Frequently asked questions

Can Gmail or Outlook stop all fakes automatically?

They try, but without your domain's DNS policies, they have less to go on. Strong DMARC gives them a clear instruction.

Check my domain free