DMARCGUY

Can Your Domain Be Spoofed? Most Can!

For Non-technical people

DMARC, SPF AND DKIM are very important email authentication standards/mechanisms that you need to use.

Why are they important to you ?

When emails originating from your domain are sent to the world using email platforms(CRMs, email campaign marketing tools, contact forms or any other email hosting providers such as Microsoft 365 and Google), those emails platforms need to be configured properly, else you'll get into trouble.

If they are not configured the right way

* chances for your emails to reach recipients' inboxes diminish drastically, especially since 2024.

* someone could pretend to be you and send millions of emails @from-your-domain.com . Yes, spoof your domain and maybe make you end up on some Black List.

IMPORTANT: DMARC is the "only mechanism" that can help prevent someone from spoofing your domain.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a email security policy framework that facilitates email delivery, help prevent spoofing of your domain.

It can also provide a very effective way to keep an eye(DMARC Reports / Monitoring) on what is happening with your outgoing emails, either sent by you or not (spoofing).

  • DMARC was introduced in 2012
  • DMARC has been widely enforced since 2014
  • DMARC became a requirement in 2024 by major providers like Google, Microsoft, and Yahoo for a safer email ecosystem.

Why I never heard of it?

Many IT people rely on SPF only (Sender Policy Framework) for email deliverability and to combat spoofing.

However, SPF alone does not prevent spoofing, despite common misconceptions.

A Wake-Up Call for IT people

  • If your IT consultant believes SPF stops email spoofing, they’re mistaken.
  • I once thought the same.
  • SPF can help with eMail deliverability but offers no protection against spoofing.
  • Recommendation: Use the DMARC Guy Verification Tool to check your domain’s DMARC compliance & security status.

DMARC in the News

U.S. Says North Korean Hackers Exploiting Weak DMARC Settings

NSA Warns of North Korean Hackers Exploiting Weak DMARC Email Policies

French/Quebec: Government Agency Names Can Be Spoofed

For Technical Readers

Some reading for you

Search for “Can DMARC p=none prevent email spoofing?” on Grok, Google, or Reddit’s r/DMARC.

M3AAWG email Authentication Recommended Best Practices

DMARC Official Site

RFC 7489: DMARC Specification

URIPorts: SPF, DKIM, DMARC Best Practices

As i'm just another stranger on the internet, I encourage you to verify this information.

Let's start with the following

Neither SPF nor DKIM alone can prevent domain spoofing without a properly configured DMARC policy (p=quarantine or p=reject).

Strict SPF (-all) Misconception

  • A strict SPF policy (-all) improves email deliverability but does not prevent spoofing. For years, many (including myself) believed it did.
  • SPF authentication happens at the RFC5321.MailFrom / Envelope From / Return-Path address level. End-users won't see this domain.
  • SPF has nothing to do with spoofing that happens at the RFC5322.From (Header From) level, the address/domain recipients will see. ****

email Domains Explained

Emails contain three domains, which can differ:

  • RFC5321.MailFrom / Envelope From: The Return-Path or bounce address used for SPF authentication.
  • DKIM Signing Domain: The domain used to sign your outgoing email.
  • RFC5322.From / Header From: The visible “From” domain people/recipient will see.

Without a strong DMARC policy, emails with mismatched domains can still be delivered, making spoofing possible.

WARNING : be sure everything is well configured before using a p=quarantine or p=reject policy or you could lose some outgoing emails and disrupt your email flow.

DMARC p=none Policy

  • A p=none DMARC policy or no DMARC DNS entry leaves your domain vulnerable to spoofing.
  • some providers will even have some internal rules that will reject p=none domains or sort them to spam folders.

Strict SPF "diminish DMARC efficiency"

  • If you have a p=quarantine or p=reject DMARC policy but are using a strict SPF (-all), some legacy email servers may reject or mark your emails as spam.
  • A strict SPF can interfere with DKIM authentication & alignment, weakening DMARC results. Yes, -all could stop DKIM authentication from happening and DKIM could oftentime "save the day".
  • Balance SPF and DMARC configurations to ensure deliverability and security.

Hidden Rejections / Not on Black Lists

Even if your domain isn’t on public Black Lists, major email providers may silently reject or quarantine your emails based on internal policies. DMARC monitoring could help you detect that.

DMARC Reporting

Enable DMARC reporting to gain insights into how your emails are handled by recipients’ servers. This feedback is invaluable for troubleshooting and improving deliverability.

Final Note

Protect your domain and enhance email security by implementing a robust DMARC policy.

Start by checking your domain’s status with the DMARC Guy Verification Tool on our website.