What is the difference between display name spoofing and email spoofing?

Display name spoofing is when a spammer uses your brand's name (e.g., 'Your Company') in the visible 'From' field, but the actual email address is from a different domain they control (e.g., random@spamsite.com ). Email spoofing (or domain spoofing) is when they use your actual domain (e.g., info@yourdomain.com ) as the sending address.

Why don't SPF, DKIM, and DMARC always prevent display name spoofing?

Email authentication protocols like SPF, DKIM, and DMARC primarily verify the domain in the technical 'From' address (RFC 5322.From) and the 'Return-Path' (RFC 5321.MailFrom). If spammers are using a different domain for the technical 'From' address, your DMARC policy won't apply to those messages, even if your brand name appears in the display field.

Will display name spoofing affect my sender reputation?

While your official sender reputation is unlikely to be harmed directly if the emails are not authenticated as coming from your domain, it can lead to increased customer complaints and a negative perception of your brand. Customers might believe you are sending spam, which can impact trust.

How can I identify the source of these spoofed emails?

You can examine the full email headers to find the true originating IP address and domain. Pay attention to Received , Authentication-Results , and List-Unsubscribe fields. Also, investigate any links within the email to see where they lead and if they are associated with your brand or partners.

What proactive steps can I take to reduce the impact of display name spoofing?

While you can't prevent every instance of display name spoofing, you should: 1) Implement a strong DMARC policy ( p=quarantine or p=reject ) for your actual domains. 2) Monitor online mentions of your brand for misuse. 3) Educate your customers about identifying legitimate emails. 4) Consider registering look-alike domains and apply DMARC to them.

What can I do to stop spammers using my company name in email from field? - Technical - Email deliverability - Knowledge base

It can be incredibly frustrating when you start receiving complaints about emails that appear to be from your company, but weren't actually sent by you. This often happens when spammers use your company name in the 'From' field of an email, even if the actual sending domain is completely different. People see your trusted brand name, assume it's legitimate, and then report you for unsolicited mail when they can't unsubscribe, or worse, fall victim to a scam. This situation doesn't directly mean your email systems are compromised, but it certainly impacts your brand's reputation and creates a customer service burden.

I've seen this issue many times, and it presents a unique challenge because traditional email authentication protocols like SPF, DKIM, and DMARC are primarily designed to protect against someone sending emails *from your actual domain*. When spammers use a different domain but just put your company name in the display name (the friendly 'From' name that shows up in inboxes), it sidesteps some of these protections. However, there are still steps you can take to understand what's happening, mitigate the impact, and strengthen your overall email security posture.

Understanding email spoofing vs. display name spoofing

When we talk about email impersonation, it's crucial to distinguish between two main types: domain spoofing and display name spoofing. Understanding this difference helps clarify why some attacks are harder to prevent than others with standard email authentication.

Domain spoofing involves attackers sending emails that appear to originate from your actual domain, for instance, yourcompany.com. This is a direct attack on your domain's authenticity. Display name spoofing, on the other hand, is when the spammer uses your brand name, like 'Your Company', in the sender's display name, but the underlying email address's domain is completely different, such as randomdomain.xyz.

The reason this distinction matters is because email authentication protocols like SPF, DKIM, and DMARC are designed to verify the sending domain, not just the display name. If the spammers are using a domain they control, even if it's a random one, DMARC and similar standards won't flag it as a spoof of *your* domain, because your domain isn't being used in the actual technical 'From' address. This makes it a trickier problem to solve purely through DNS records.

Email spoofing (domain-based)

This occurs when an attacker sends an email using your exact domain (e.g., marketing@yourcompany.com) in the From: header (RFC 5322.From).

Detection: Relatively easier to detect with proper email authentication protocols.
Protection: Effectively prevented by strong SPF, DKIM, and DMARC policies configured on your domain's DNS. A DMARC policy set to p=reject is key.

Display name spoofing

The spammer uses your company name (e.g., 'Your Company') as the display name, but the actual email address belongs to a different, often random, domain (e.g., random@scammer.net).

Detection: Harder to prevent with standard authentication as the actual sending domain is not yours.
Protection: Requires a combination of recipient-side spam filters, user education, and proactive monitoring of your brand's presence in unsolicited emails.

Understanding DMARC, SPF, and DKIM limitations

Even though your SPF, DKIM, and DMARC are in place, the core issue with display name spoofing is that these protocols check the domain used in the technical 'From' address, not just the visible display name. If the spammers aren't actually sending from yourdomain.com, your DMARC policy won't apply to those messages, and they won't be rejected based on your domain's authentication.

While this specific type of spoofing might not be directly blocked by your existing DMARC p=none policy, it's critical to advance that policy. A p=none policy, while helpful for monitoring, does not tell recipient servers to actively block emails that fail authentication. To truly protect your domain from being directly spoofed, you need to transition to a more enforced policy.

Moving to an enforced DMARC policy

If you have a DMARC record published with a p=none policy, you're currently in monitoring mode. This is a good first step, but it won't stop spoofing of your actual domain. To prevent spammers from using your domain, you need to evolve your policy. The next steps are usually p=quarantine and then p=reject. Safely transitioning your DMARC policy requires careful analysis of your DMARC reports to ensure legitimate emails aren't impacted. You can use a DMARC record generator tool to create or update your record.

P=quarantine: Tells recipient servers to place emails that fail DMARC authentication into the spam or junk folder. This is a good intermediate step to prevent them from reaching the inbox directly.
P=reject: Instructs recipient servers to outright reject emails that fail DMARC authentication. This is the strongest policy and provides the highest level of protection against direct domain spoofing.

While an enforced DMARC policy won't prevent spammers from using your brand name with *other* domains, it's vital for protecting your *own* domain from being used in direct spoofing attacks. For advice on how to use DMARC to prevent spammers from using your domain, you can read more here.

Mitigating the impact and identifying the source

Since email authentication doesn't fully address display name spoofing with non-owned domains, you need to focus on mitigating the impact and gathering intelligence. The first step is to analyze the full email headers of any suspicious message you receive. These headers contain crucial technical details that can help you understand the message's true origin, even if the 'From' field is misleading.

Pay close attention to the Received-SPF, Authentication-Results, and X-Originating-IP headers, as these often reveal the true sender's IP address and whether any authentication checks (for their domain) passed or failed. You might also find a List-Unsubscribe header that points to the spammer's actual domain, providing another clue. You can use an online tool to analyze email headers.

Another crucial step is to investigate the links within the fraudulent emails. If the emails contain affiliate links or calls to action (CTAs), determine where those links actually lead. If they point back to your legitimate website or an affiliate program you are associated with, it could indicate affiliate fraud or a breach within your partner network. If the links go to completely unrelated or suspicious websites, it's more likely a general spam campaign leveraging your brand name for legitimacy. Based on that information, you can decide on the appropriate course of action, such as contacting your affiliates, reporting the URLs, or blocking the identified IP addresses (if they're static).

Header Field	Significance
From:	The visible sender display name and email address. In display name spoofing, the name is yours, but the domain is not.
Received:	Traces the path of the email through servers, revealing the true originating IP address.
Authentication-Results:	Shows the results of SPF, DKIM, and DMARC checks by the receiving server. Look for spf=none, dkim=none, or dmarc=none if your domain isn't used.
Return-Path:	The address where bounces are sent. SPF checks this domain.
List-Unsubscribe:	If present, this header often points to the spammer's actual domain, which can be useful for identification.

Long-term brand and email security

While immediate action to stop every spammer from using your company name in the display field can be like playing whack-a-mole, there are important long-term strategies you can implement. One key action is to continuously monitor your brand online. Set up alerts for your company name in conjunction with keywords like 'spam,' 'phishing,' or 'scam.' This helps you quickly identify when your brand is being misused and allows you to respond to public complaints, even if you can't stop the emails directly. Proactively address any social media posts or forum discussions where people mention receiving fraudulent emails that appear to be from your company.

Consider acquiring similar-looking domain names to your primary domain. Spammers often use look-alike domains (e.g., y0urcompany.com or yourcompany.co) in phishing attacks. By registering these variations and applying strong DMARC policies to them, you can prevent them from being used for direct domain spoofing, even if it doesn't stop display name spoofing with completely random domains. You can protect your domain from being spoofed and blacklisted, by taking a look at this article: How can I protect my domain from being spoofed and blacklisted?.

Educating your customers is also vital. Provide clear guidelines on how to identify legitimate emails from your company, what to do if they receive suspicious messages, and how to report phishing attempts. This helps them distinguish genuine communications from fraudulent ones, reducing the number of complaints directed at you.

Final thoughts

Dealing with spammers who misuse your company name can feel like an uphill battle, especially when they're not directly spoofing your domain. The key takeaway is that while you can't always stop every single instance of display name spoofing, you can significantly mitigate its impact and protect your brand's integrity.

By understanding the technical nuances of email authentication, proactively monitoring for misuse, and educating your audience, you can minimize confusion, reduce customer complaints, and ensure your legitimate communications remain trusted. Focus on strengthening your DMARC policy for your own domains, stay vigilant about affiliate relationships, and maintain open communication with your customers about how to recognize your authentic messages. This multi-faceted approach will help safeguard your company's reputation and deliverability in the long run.

Views from the trenches

Best practices

Always transition your DMARC policy from 'none' to 'quarantine' or 'reject' to protect your own domains from direct spoofing.

Regularly monitor your brand online for mentions of spam or phishing to identify misuse early.

Educate your customers on how to identify legitimate emails from your company.

Investigate links within suspicious emails to determine if they point to your services or affiliate programs, which may indicate affiliate fraud.

Acquire and protect look-alike domains to prevent them from being used in direct spoofing attacks against your brand.

Common pitfalls

Assuming DMARC with a 'none' policy will stop all forms of brand impersonation, including display name spoofing.

Ignoring customer complaints about spam using your company name because the domain isn't yours.

Failing to analyze full email headers to understand the true origin and technical details of fraudulent messages.

Not thoroughly vetting affiliate partners or monitoring their activities for potential misuse of your brand.

Overlooking the importance of securing parked or unused domains with strong DMARC policies.

Expert tips

Check for 'X-Originating-IP' or 'Received' headers to trace the actual sender's IP address and potentially report abuse.

Use email header analysis tools to quickly parse and understand complex header information from fraudulent emails.

If affiliate fraud is suspected, consider suspending relevant affiliate links or payments until the issue is resolved.

Develop a clear internal communication plan for your customer support team on how to handle inquiries about spoofed emails.

Leverage DMARC reports to identify if legitimate emails are failing authentication before enforcing stricter policies.

Marketer view

Marketer from Email Geeks says that publishing a DMARC policy is essential for email security.

2023-08-07 - Email Geeks

Marketer view

Marketer from Email Geeks says that DMARC primarily protects your domain in the 'From' header, and SPF guards the 'Return-Path' (envelope-from) address. It's important to note that neither typically stops look-alike domain spoofing.

2023-08-07 - Email Geeks