Email Spoofing: The Vulnerability of Sending Fake Mail From Your Domain, and Closing It With DMARC

Quick answer: Email spoofing is an attacker using your domain as the sender address to send fake email in your name. The reason this is possible is that the email protocol does not verify the sender identity by itself. If your domain is not protected by SPF, DKIM and especially DMARC records, anyone can appear to be sending mail from [email protected]. The effects are severe, phishing your customers in your name, fake invoice and IBAN change fraud, and loss of trust in your brand. The way to close the vulnerability is three records. SPF defines which servers may send mail in your name. DKIM signs outgoing mail cryptographically. DMARC combines the two and tells receiving servers what to do with unverified mail (quarantine or reject). When your DMARC policy is p=reject, fake mail never reaches the recipient.

In our field experience this is the most overlooked security vulnerability. Companies protect their websites but do not notice that anyone can send fake mail from their domain. We covered the general setup of corporate email security in corporate email security, SPF, DKIM, DMARC. This article looks at the attack side, exactly what is exposed if these records are missing and how it is exploited.

The problem, email does not verify the sender identity

The basic email protocol does not verify the sender address by itself. So when sending an email, whatever you write in the sender field technically goes through. An attacker can send mail from their own server with your domain as the sender address. In the recipient's inbox this mail looks like it comes from your company.

To prevent this, three verification layers were developed, but they are not on by default, the domain owner must add them to the DNS records. If these records are missing, your domain is open to spoofing.

How this vulnerability is exploited and its effects

If your domain is unprotected, the attacker uses it in several scenarios.

  • Customer phishing. They send mail to your customers in your name, directing them to a fake payment page or a malicious file. Because the mail looks like it really comes from you, the victim trusts it.
  • Invoice and IBAN fraud. A mail that looks like a supplier or accounting says the IBAN to pay has changed. This is the classic form of a business email compromise (BEC) attack, we explained the detail in email fraud, BEC and CEO fraud.
  • Executive impersonation. They send your employee an urgent money transfer or information request that looks like it comes from the CEO.
  • Brand and delivery reputation. As your domain is abused, the chance that your real mail also lands in the spam folder increases.

We covered how to tell these mails apart in how to spot a phishing email, but the real solution is to make sure the fake mail never reaches the recipient at all.

Three records, SPF, DKIM, DMARC

Protecting your domain requires three complementary DNS records.

SPF (Sender Policy Framework) lists which servers are authorized to send mail on behalf of your domain. The receiving server checks whether the incoming mail really came from these authorized servers.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing mail. The recipient verifies this signature with the public key in your DNS record, so it knows the mail was not altered in transit and really came from you.

DMARC (Domain based Message Authentication) builds on top of these two and does two things. First, it tells receiving servers what to do with mail that cannot pass SPF and DKIM verification. Second, it makes reports be sent to you about mail sent in your domain's name, so you see who is trying to send mail in your name.

Record What it does Risk if missing
SPF Defines authorized sending servers Anyone can send mail in your name
DKIM Signs mail, verifies integrity Mail can be altered in transit, impersonation easier
DMARC Combines SPF/DKIM, applies policy Fake mail reaches the recipient

The DMARC policy, none, quarantine, reject

The heart of the DMARC record is the policy value, and it has three levels.

  • p=none. Only monitors and collects reports, blocks nothing. At first setup, it is the starting point to see the situation without breaking legitimate senders.
  • p=quarantine. Routes mail that cannot pass verification to the spam or quarantine folder.
  • p=reject. Completely rejects mail that cannot pass verification, it never reaches the recipient. This is real protection.

The right approach is to start with p=none and monitor the reports, correctly define all your legitimate senders (your own server, your marketing tool, your billing system) with SPF and DKIM, then move gradually to p=quarantine and finally p=reject. Without p=reject your domain is still not fully protected.

Is your domain vulnerable, how to test

The state of your domain is understood by looking at your DNS records. An expert examines whether your domain has SPF, DKIM and DMARC records, at which level your DMARC policy is, and whether your legitimate senders are correctly defined. The picture we find in most Turkish companies is this, SPF exists but DMARC is either missing entirely or at the p=none level, meaning the domain is still open to spoofing. The first step of an external pentest or an email security audit is precisely to check these records, we also addressed this in Ankara cyber security, pentest and KVKK.

Frequently Asked Questions

I have an SPF record, is it enough? No. SPF alone is not enough, because it does not directly protect the visible sender address and can break on forwarded mail. Full protection also requires DKIM and DMARC at the p=reject level.

If I add DMARC, will my own mail be blocked? If it is not set up correctly, your legitimate mail can also be rejected. So you must start with p=none and monitor the reports to define all your senders, then move gradually to p=reject.

Someone is sending fake mail from my domain, what should I do? Move your DMARC policy to p=reject, examine the DMARC reports to find the source, and inform your customers. If personal data has leaked this is a breach, see KVKK data breach notification.

Is this only a problem for large companies? No. On the contrary, unprotected small and medium businesses are easier targets, because most have not set up DMARC and attackers detect this with automated tools.

Sources

To test your domain's email spoofing vulnerability and close it with SPF, DKIM and DMARC, contact DSET.