How can spammers send emails from my real address?

Spammers can send emails from any address because the "From" field in an email header can be easily forged. This is known as email spoofing. The original email protocols didn't have strong identity verification. Modern authentication like DMARC makes it difficult for these spoofed emails to actually reach an inbox.

Is successful spoofing a DMARC configuration issue?

DMARC helps prevent this by telling recipient email servers what to do with messages that fail authentication (SPF or DKIM) or don't align with your domain. If spammers are successfully spoofing your domain, it might be because your DMARC policy is set to p=none , which only monitors but doesn't block unauthenticated emails.

What are SPF, DKIM, and DMARC, and how do they work together?

SPF (Sender Policy Framework) defines which IP addresses are authorized to send email for your domain. DKIM (DomainKeys Identified Mail) uses digital signatures to verify message integrity and sender authenticity. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on these by setting policies for failed authentication and requiring alignment between the visible From address and the authenticated domains.

What DMARC policy should I use to stop spoofing?

You should aim for a p=reject policy for maximum protection against spoofing. However, it's recommended to start with p=none to monitor your email flow and ensure legitimate emails aren't being inadvertently blocked, then gradually move to p=quarantine before implementing p=reject .

Is DMARC alignment necessary for effective protection?

Yes, DMARC alignment is crucial. An email passes DMARC if either its SPF or DKIM checks pass, AND the domain used in the authentication (envelope sender for SPF, signing domain for DKIM) aligns with the visible "From" domain in the email header. If SPF and DKIM pass but don't align with the From domain, DMARC will fail.

How can spammers send emails from real addresses, and is this a DMARC configuration issue? - Technical - Email deliverability - Knowledge base

It's a common and concerning experience: you receive an email that appears to be from a legitimate source, perhaps even your own domain, but you know it's fraudulent. This phenomenon, known as email spoofing, raises a crucial question, how can spammers send emails from real addresses? It often leads to a follow-up question: is this a DMARC configuration issue? While it might seem counterintuitive, the ability to send an email with a forged sender address has historically been quite straightforward.

The core problem lies in the original design of email protocols, which prioritized functionality over stringent identity verification. Fortunately, modern email authentication standards like SPF, DKIM, and DMARC have emerged to combat this. Understanding how these protocols work, and specifically how DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps, is key to protecting your domain from misuse and improving your email deliverability.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

How email spoofing works

At its simplest, an email message is just a piece of data sent from one server to another. The "From" address that you see in your email client, known as the RFC5322.From header, is a field that can be populated by the sender. This means that anyone with the technical know-how can theoretically input any address they want into this field when crafting an email, regardless of whether they genuinely own or are authorized to send from that domain.

This practice is called spoofing. Before modern authentication standards became prevalent, it was ridiculously easy to do. Spammers would often spoof well-known domains to trick recipients into opening malicious emails, a tactic sometimes referred to as a "joe job" in early internet security circles. While it's still possible for malicious actors to send an email appearing to be from your domain, the real challenge for them is getting that email successfully delivered to an inbox.

The key distinction often lies between the visible "From" address (RFC5322.From) and the hidden envelope sender address (RFC5321.MailFrom), which is also known as the Return-Path. SPF (Sender Policy Framework) primarily authenticates the envelope sender, while DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify the message content and the signing domain. DMARC ties these two together, focusing on the alignment of the visible From address with the authenticated domains from SPF and DKIM. This alignment is critical for preventing unauthorized use of your domain in the sender field.

The role of email authentication: SPF and DKIM

To combat spoofing, email authentication protocols like SPF and DKIM were developed. These act as checks for recipient mail servers, helping them determine if an email truly originates from the domain it claims to be from. Without these, any sender could effectively pretend to be anyone, leading to rampant spam and phishing attacks. You can learn more about these in our article, A simple guide to DMARC, SPF, and DKIM.

SPF (Sender Policy Framework): This DNS record specifies which IP addresses are authorized to send emails on behalf of your domain. When a recipient server receives an email, it checks the SPF record of the sending domain. If the sending IP is not listed, the email may be flagged as suspicious, or even rejected. SPF records ensure only authorised servers send emails.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails, allowing the recipient server to verify that the email hasn't been tampered with in transit and that it genuinely comes from the stated sender. The receiving server uses a public key, published in your DNS, to verify this signature.

While SPF and DKIM are crucial, they don't fully solve the spoofing problem on their own. For instance, SPF only checks the envelope sender, not the visible "From" address, which is what users typically see. This is where DMARC steps in, providing a robust framework to enforce policies based on the outcomes of SPF and DKIM checks, and ensuring alignment with the user-visible domain.

DMARC: The solution to preventing spoofing

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the protocol that truly empowers domain owners to prevent spammers from successfully sending emails from their real addresses. It builds upon SPF and DKIM by adding a crucial layer of policy and reporting. A DMARC record, published in your DNS, tells receiving email servers what to do with emails that claim to be from your domain but fail SPF or DKIM authentication, especially when the domains don't align.

The core function of DMARC is to define how email receivers should handle messages that fail authentication checks and alignment. DMARC policies are configured via a DMARC record in your DNS. These policies include:

Policy	Description	Impact on Deliverability
p=none	Monitor mode: Emails failing DMARC authentication and alignment are allowed to be delivered, but reports are sent to the domain owner. Ideal for initial deployment to assess email flow.	Spoofed emails may still reach inboxes, but you gain visibility into abuse.
p=quarantine	Suggests that emails failing DMARC should be moved to the spam or junk folder.	Significant reduction in spoofed emails reaching inboxes, though some might end up in spam. Requires careful monitoring of legitimate emails.
p=reject	Instructs receiving servers to outright reject emails that fail DMARC authentication and alignment. This is the strongest policy.	Virtually eliminates spoofed emails from your domain reaching any inbox. Misconfigured legitimate emails will bounce.

For DMARC to work effectively, the domain in the RFC5322.From header (the one users see) must align with the domains authenticated by SPF (the RFC5321.MailFrom) or DKIM (the d= domain in the DKIM signature). This alignment is critical. If SPF and DKIM pass but don't align with the From header, DMARC will fail. This is a common cause of legitimate emails ending up in spam. For more insights, check out our guide on why DMARC authentication fails.

Why a DMARC issue might persist

If spammers are still successfully sending emails from your real addresses, it could indeed be a DMARC configuration issue, but it's not always straightforward. There are several reasons why this might occur, even with DMARC in place. One reason is that not all mailbox providers (MBPs) evaluate or strictly adhere to DMARC policies. While major players like

Google and

Microsoft are increasingly enforcing DMARC, smaller or older email systems might not yet have full implementation or stricter policies.

The most common DMARC issue that allows spoofing to persist is having a p=none policy in your DMARC record. While p=none is excellent for initial monitoring and gathering reports, it doesn't instruct recipient servers to block or quarantine unauthenticated emails. This means that even if a spammer spoofs your domain and their email fails DMARC, it might still reach the inbox because your policy explicitly states to do nothing with it. To truly prevent spoofing, you need to move to a stricter DMARC policy like p=quarantine or p=reject. Our guide on safely transitioning your DMARC policy provides a step-by-step approach.

Another factor could be misconfigured SPF or DKIM records that lead to DMARC alignment failures, even if the records technically exist. For example, if you're using a third-party sending service and haven't included their IPs in your SPF record or set up DKIM delegation correctly, legitimate emails from your domain could fail DMARC. This is why DMARC monitoring is so important, as it provides reports on authentication failures, helping you pinpoint and fix issues. You can explore how to troubleshoot these problems in our guide, why some emails are failing DMARC.

Views from the trenches

Best practices

Always implement SPF and DKIM before deploying DMARC to ensure foundational authentication is in place.

Start with a DMARC policy of p=none to monitor email authentication results without impacting deliverability.

Use DMARC reports to identify legitimate email sources that are not yet authenticated and correct their settings.

Gradually transition DMARC policy to p=quarantine, then p=reject, once you are confident all legitimate mail passes authentication.

Regularly review your DMARC reports to catch any new unauthorized sending or authentication issues quickly.

Common pitfalls

Setting a DMARC policy to p=reject too quickly can block legitimate emails from reaching their recipients.

Not configuring SPF or DKIM correctly can lead to DMARC failures, even if the records exist.

Ignoring DMARC aggregate reports means you miss critical insights into spoofing attempts and authentication problems.

Failing to include all third-party senders in your SPF record can cause their emails to fail authentication.

Believing DMARC is a set-it-and-forget-it solution, rather than an ongoing monitoring and adjustment process.

Expert tips

Use strict alignment for DMARC whenever possible to enhance protection against direct domain spoofing.

Consider deploying BIMI (Brand Indicators for Message Identification) once DMARC is at p=quarantine or p=reject to display your logo.

Educate your team about email security and how to identify spoofed or phishing attempts, even with DMARC in place.

If using third-party services, ensure they support DMARC and can align the From header with your domain for successful authentication.

Implement email blacklisting (or blocklisting) as an additional layer of defense against known malicious senders, complementing DMARC.

Expert view

Expert from Email Geeks says anyone can technically send an email from any address, which is called spoofing, but the challenge is getting those emails delivered properly.

2023-02-16 - Email Geeks

Marketer view

Marketer from Email Geeks says before SPF, DKIM, and DMARC, spoofing was simple because the From domain is just a field any sender can populate, similar to a subject line.

2023-02-16 - Email Geeks

Securing your domain

While it's frustrating to see spammers (or blocklisters) attempt to send emails from your legitimate domain, email authentication standards, particularly DMARC, provide the most effective defense. They don't prevent the act of spoofing itself, but they significantly reduce the likelihood of spoofed emails reaching recipient inboxes. By implementing DMARC with a strong policy (p=quarantine or p=reject), you instruct receiving mail servers to either quarantine (send to spam) or outright reject messages that fail your authentication checks.

Ultimately, securing your domain requires a multi-faceted approach: proper configuration of SPF and DKIM, a robust DMARC policy with alignment, and continuous monitoring of your DMARC reports. This proactive stance ensures that your legitimate emails are delivered, while unauthorized attempts to use your brand are stopped at the gate, protecting both your sender reputation and your recipients.