Email Spoofing (SPF / DKIM / DMARC)
The forging of an email's sender address to impersonate a trusted organisation, and the three DNS-based standards designed to detect and block such forgeries.
Also known as: from-address spoofing, email impersonation, SPF, DKIM, DMARC
Last reviewed: 10 June 2026
Email spoofing exploits the fact that the original email protocol (SMTP) allows any sender to declare any 'From' address. Criminals send emails that appear to come from a bank, a government body, or a known contact — complete with the correct domain name — to trick recipients into clicking links, opening attachments, or transferring funds.
Three complementary DNS-based standards have been developed to combat spoofing. SPF (Sender Policy Framework) lists which mail servers are authorised to send for a domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature that proves the message was not altered. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do when a message fails — reject, quarantine, or report. When all three are correctly configured with a strict DMARC policy, impersonation of that domain in email is dramatically harder.
Consumers cannot configure these standards themselves (they are set by domain owners), but awareness helps: emails that pass your spam filter are not necessarily legitimate, especially if they request urgent action. Always navigate to financial sites directly rather than through email links.