3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

Email Spoofing

Sending an email message with a forged From header that makes it appear to come from a domain the sender does not control.

Definition

Email spoofing is the act of sending a message with a forged From: header that makes it appear to originate from a domain the sender does not control. Spoofing exploits a fundamental design property of SMTP — the protocol does not require the visible From header to match the actual sending server's identity. Without authentication, any mail server on the public internet can send a message claiming to be from any domain, and the receiver has no built-in way to detect the forgery.

How it works

SMTP separates two distinct addresses for every message: the envelope sender (the MAIL FROM address used at the SMTP layer for bounce routing) and the header From (the From: field in the message body that mail clients display to the user). These can be — and often are — different. A legitimate forwarding service might rewrite the envelope sender while preserving the original From header. A spoofer takes advantage of this separation to put a victim's domain in the visible From while sending from infrastructure they control.

Email authentication standards exist precisely to defeat spoofing. SPF authenticates the envelope sender against a published list of authorised IPs. DKIM cryptographically signs messages so the receiver can verify the signing domain. DMARC ties the two back to the visible From header via the alignment check and gives domain owners a policy mechanism to tell receivers what to do with unauthenticated mail.

Spoofing is the technical foundation of phishing and business email compromise. Without spoofing, social engineering attacks against email are vastly less effective.

Example

A spoofed message captured at the SMTP layer:

// Connecting from 198.51.100.99 (attacker-controlled)
MAIL FROM:<attacker@malicious.example>
RCPT TO:<victim@target.example>
DATA
From: "Acme Bank Support" <support@acmebank.example>
Subject: Urgent: verify your account
...

The connecting IP and envelope sender (198.51.100.99 / malicious.example) are honest about the attacker's actual identity. The visible From header (support@acmebank.example) is forged. Without DMARC, the recipient's mail client displays the forged From and the user has no easy way to detect the spoof. With DMARC at p=reject on acmebank.example, this message is rejected at the SMTP layer before the user ever sees it.

Related Terms

DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... SPF A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a... DKIM A cryptographic signature attached to outbound email that proves the message was authorise... Business Email Compromise (BEC) A targeted email fraud attack that impersonates a trusted internal or external party — typ...

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial