Email spoofing

The Spark Team
Created:

Definition

💡  Email spoofing is forging the sender information on an email so it looks like it came from someone other than the actual source. The message might say it's from your bank, your CEO, or a coworker, when it's really coming from someone else entirely. Spoofing is a technique, not a scam by itself. It's the trick that makes a fraudulent email look legitimate. What happens after (a phishing link, a fake wire request) is usually the actual goal.

How spoofing works

Email was never built with sender verification as a default. The core protocol, SMTP, lets a message claim to be "from" almost any address, the same way you could write any return address on a paper envelope. Nothing stops you at the point of sending, which is exactly why spoofing has been possible since email existed. 

This is where it gets expensive. CISA has documented how attackers spoof a CEO or CFO's address, then email someone in finance with urgent wire transfer instructions. The address looks right at a glance. The request feels urgent. By the time anyone double-checks, the money's gone. This exact pattern, known as business email compromise, has cost companies billions in reported losses. 

Spoofing is also the mechanism behind a lot of what ends up in phishing emails. The two get used interchangeably, but they're not quite the same thing. Spoofing is how the sender lies about who they are. Phishing is the broader scam built on top of that lie, usually trying to steal credentials or money.

Spotting a spoofed email

The display name is the easiest thing to fake and the least reliable thing to trust. "CEO Name" can be typed into the From field by literally anyone. What matters more is the actual address underneath it, which you can usually see by hovering over or tapping the sender's name.

Look for domains that are almost right: a zero instead of an "o," an extra letter, a slightly different domain extension. These look convincing at a glance and are designed to.

Unexpected urgency is another tell, especially anything involving money, gift cards, or credential resets. Legitimate requests like that almost never arrive exclusively by email with no other verification path.

Stopping spoofed mail from working

Three technical protections work together to make spoofing harder to pull off, and all three live in your domain's DNS settings rather than your email client.

SPF lists which mail servers are allowed to send on behalf of your domain.

DKIM cryptographically signs outgoing mail so receiving servers can confirm it's genuinely from you.

DMARC tells receiving servers what to do when a message fails those checks, quarantine it, reject it outright, or let it through anyway.

If you control a domain, setting up all three doesn't stop you from receiving spoofed mail, but it does stop scammers from successfully spoofing your domain to attack other people. It's also directly tied to your own email deliverability, since a domain without proper authentication looks exactly as suspicious to spam filters as it does to a scammer trying to impersonate it.

As a recipient, there's no setting that blocks all spoofed mail, since the fake ones are specifically designed to look legitimate. Verifying anything unusual through a second channel, a phone call, a message on a different platform, is still the most reliable check.

What people get wrong about spoofing

Is email spoofing illegal? 

Yes, in most jurisdictions, particularly when used to commit fraud. That doesn't stop it from happening constantly, since enforcement across borders is difficult.

Can spoofing happen even if my account isn't hacked? 

Yes. Spoofing doesn't require access to your actual account. It just fakes the "from" field, which is why your real account can be completely secure while someone still spoofs your address elsewhere. 

Does marking a spoofed email as spam stop future ones? 

Not reliably. Since the spoofed address changes each time, marking one instance as spam does little to prevent the next. Proper DMARC enforcement on the impersonated domain is what actually reduces this over time.

How is spoofing different from a hacked account sending spam? 

A hacked account is genuinely compromised, the messages really do come from that account. A spoofed email never touched the real account at all. The address was faked from somewhere else entirely. Two-factor authentication helps prevent the first scenario, but it does nothing to stop the second, since spoofing never needs your actual credentials in the first place.

Related terms

 

The Spark Team
Spark

Smart. Focused. Email.

Fast, cross-platform email designed to filter out the noise - so you can focus on what's important.