Threat Intelligence

How Attackers Spoof Your Domain — and How to Stop Them

Email spoofing costs businesses over $6 billion annually. Understanding the attack chain is the first step to building an effective defense.

April 3, 202610 min read

The anatomy of an email spoofing attack

Email spoofing exploits a fundamental design flaw: the SMTP protocol lets anyone set any value in the "From" header. An attacker rents a cheap server, configures it to send email as [email protected], and the recipient sees a message that appears to come from your CEO.

The attack is trivially easy — a few lines of configuration. The damage is not. Business Email Compromise (BEC) using spoofed domains resulted in $6.7 billion in losses in 2024 according to the FBI's Internet Crime Complaint Center. The average BEC incident costs $125,000.

ATTACK CHAINAttackerSpoofs From: headerRented ServerSends as your-domain.comRecipient InboxLooks legitimateCredential TheftBEC / PhishingDEFENSE CHAINSPFIP authorized?DKIMSignature valid?DMARCAligned + policyLookalike MonitorDomain variantsTakedownRemove threatsSPF + DKIM + DMARC + Monitoring + Takedown = Complete Protection

Why SPF alone is not enough

SPF (Sender Policy Framework) checks whether the sending server's IP address is authorized by the domain owner. It's a good start, but it has critical limitations:

  • SPF checks the envelope sender, not the From header. Attackers can pass SPF by using their own domain in the envelope while spoofing yours in the visible From header.
  • SPF breaks on forwarding. When email is forwarded, the originating IP changes, causing SPF to fail for legitimate mail.
  • SPF has a 10-lookup limit. Complex SPF records with many includes can exceed this limit, causing silent failures.

The layered defense model

Effective spoofing prevention requires multiple layers, each addressing a different attack vector:

Layer 1: SPF + DKIM + DMARC

DMARC ties SPF and DKIM together with alignment — the domain in the visible From header must match the domain validated by SPF or DKIM. This closes the envelope-vs-header gap that SPF alone can't address. With p=reject, spoofed messages are blocked entirely.

Layer 2: Lookalike domain monitoring

DMARC protects your exact domain, but attackers adapt. They register domains that look like yours:your-c0mpany.com (zero instead of O), your-company.net (different TLD), or your-company-support.com (combo-squat). These bypass DMARC because they're different domains.

Continuous monitoring for lookalike registrations — typosquats, homoglyphs, TLD variants, and combo-squats — catches these attacks early, often before the attacker launches their campaign.

Layer 3: Takedown orchestration

Detection without response is just a dashboard. When a malicious lookalike is confirmed, automated takedown orchestration files abuse reports with registrars, hosting providers, certificate authorities, and browser blocklists simultaneously. SpoofSentry dispatches to Google Web Risk (5B+ devices), Netcraft (active takedown pursuit), and URLhaus (threat intel feeds) in parallel.

Getting started today

The first step is understanding your current exposure. Run a free domain security check to see your score across all 9 dimensions:

Free Domain CheckDangling DNS Scanner
How Attackers Spoof Your Domain — and How to Stop Them | SpoofSentry | SpoofSentry