What is Email Spoofing? How to Detect & Stop It
Email spoofing is the technique that makes phishing emails look like they come from your bank, your boss, or even yourself. Understanding how it works is the first step to defending against it.
What is Email Spoofing?
Email spoofing is the act of forging the From field in an email so it appears to come from a trusted source — a bank, a colleague, a tech company — when it actually originates from an attacker's server.
The reason this is possible is a fundamental flaw in the original email protocol (SMTP), which was designed in the 1980s with no authentication built in. Anyone who controls an email server can set the From address to whatever they like.
Real-world example
In a Business Email Compromise (BEC) attack, a criminal spoofs the CEO's email address and sends a wire transfer request to the finance team. The email appears 100% legitimate — same display name, same address. In 2015, this exact technique was used to steal $61 million from aerospace manufacturer FACC.
How Email Spoofing Works (Technical Explanation)
When you send an email, two different "From" addresses are involved:
Envelope From (Return-Path)
This is the technical sender address used by mail servers for delivery and bounce handling. It appears in the email headers but not in your email client's UI.
Header From (Display Address)
This is what you see in your email client as the sender. It can be set to any value, completely independently of the actual sending server. This is what gets spoofed.
An attacker sets the Header From to ceo@yourcompany.com but sends the email from their own server. Without authentication checks, your email client has no way to know the difference.
Types of Email Spoofing Attacks
Direct Domain Spoofing
CriticalThe attacker uses your exact domain in the From field (e.g., ceo@yourcompany.com). This is blocked by DMARC when properly configured.
Lookalike Domain Spoofing
HighA visually similar domain is registered (e.g., yourcomp4ny.com, yourcompany-support.com). Bypasses DMARC since it's technically a different domain.
Display Name Spoofing
MediumThe display name says "PayPal Support" but the email address is from a random domain. No technical spoofing — relies on users not checking the actual address.
Compromised Account Abuse
HighThe attacker uses a real, legitimate account they have hijacked to send phishing from a trusted address. Hardest to detect since authentication passes.
How to Detect Email Spoofing
1. Check the Email Headers
The most reliable way to detect spoofing is to inspect the raw email headers. Look for:
- Does the
Fromheader match theReturn-Pathheader? - Does the
Receivedchain show servers you would expect from the claimed sender? - What do the
Authentication-Resultsheaders say?
2. Check SPF, DKIM, and DMARC Results
SPF Pass
The sending server is authorized to send on behalf of the domain.
DKIM Pass
The email has a valid cryptographic signature from the domain owner.
DMARC Pass
Both SPF and DKIM are aligned with the From domain. Strong authenticity signal.
A DMARC fail combined with a suspicious From address is a near-certain sign of spoofing.
3. Use a Free Email Spoofing Checker
You do not need to read raw headers manually. Phishing Inspector automatically parses and displays SPF, DKIM, and DMARC results, flags authentication failures, and cross-references the sending IP against abuse databases.
Check if an email is spoofed — free
Paste the full email (including headers) into Phishing Inspector for an instant authentication check.
Check Now — FreeHow to Protect Your Domain from Being Spoofed
If you own a domain, you can prevent attackers from impersonating it by publishing proper authentication records:
Publish an SPF Record
Add a TXT record to your DNS that lists which servers are authorized to send email from your domain. Example: v=spf1 include:_spf.google.com ~all
Enable DKIM Signing
Configure your email provider (Google Workspace, Microsoft 365, etc.) to cryptographically sign outgoing emails. Publish the public key in your DNS.
Enforce a DMARC Policy
Publish a DMARC record with policy p=reject to instruct receiving servers to reject any email that fails SPF and DKIM alignment. This is the gold standard of anti-spoofing protection.
Want to understand these protocols in depth? Read our full guide: SPF, DKIM, and DMARC Explained.
Think You Received a Spoofed Email?
Use Phishing Inspector to check the email's authentication headers instantly. We will tell you whether SPF, DKIM, and DMARC pass or fail, and give you an overall phishing risk score.
Check for Spoofing — Free