Deliverability
How to detect if someone is spoofing your domain and stop it
Domain spoofing happens silently. Here's how to detect it from DMARC reports and stop it before it reaches anyone.
This landed in my inbox three weeks ago.
Subject: "MetaMask: Action Required" Sender: upzizaan@ehz.io via infraova.com
It looked completely legitimate.
Someone was using my own domain infraova.com to send phishing emails. Gmail caught it and dropped it in spam. But here's what scared me: I had no idea it was happening until it landed in my own inbox by accident.
If it had gone to my users instead, I would have found out from them.
That's the problem with domain spoofing. It happens silently. No alert fires. No dashboard turns red. You find out when someone forwards you the phishing email your "company" just sent them.
What domain spoofing actually is
Domain spoofing is when someone sends email that appears to come from your domain without your authorization. They don't need access to your servers, your DNS, or your email provider. They just need your domain name which is public and a mail server willing to send on their behalf.
The result: recipients see your domain in the From field. Your brand. Your reputation. Their trust exploited.
It's used for phishing, business email compromise, and credential theft. And it's more common than most agencies realize, because most domains are wide open to it.
Why most domains are vulnerable
The protection against spoofing is DMARC. Specifically, your DMARC policy tag.
There are three settings:
- p=none monitor only. Unauthorized senders can use your domain and Gmail will deliver it anyway. This is where most domains sit.
- p=quarantine suspicious email goes to spam. Better, but not blocked.
- p=reject unauthorized senders are blocked outright. Nothing gets through.
If your DMARC record says p=none, anyone can spoof your domain right now. Gmail, Yahoo, and Microsoft will accept and deliver it.
Check yours by running:
nslookup -type=TXT _dmarc.yourdomain.com
If you see p=none or no DMARC record at all you're exposed.
How spoofing shows up in DMARC reports
Every major mail provider Google, Yahoo, Microsoft, Apple sends daily aggregate reports to the address in your DMARC rua= tag. These reports contain every email sent from your domain in the past 24 hours, including unauthorized ones.
Here's what a spoofing attempt looks like in a DMARC report:
<record>
<row>
<source_ip>185.220.101.45</source_ip>
<count>47</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
</record>
An IP address you don't recognize. DKIM fail. SPF fail. 47 emails sent using your domain in one day.
That's a spoofing attempt. And with p=none, every one of those 47 emails landed in someone's inbox.
The problem: DMARC reports are compressed XML files sent as email attachments. Reading them manually requires extracting a zip, parsing XML, and knowing what to look for. Most agencies never look at them at all.
How to detect spoofing in real time
After my own domain got spoofed, I built a feature into Infraova that does this automatically.
Every time a DMARC aggregate report arrives, Infraova parses it and flags any record where:
- The source IP is not an authorized sender
- Both DKIM and SPF fail alignment
- The email count is above zero
When that pattern appears, an alert fires immediately before the next report cycle, before a client forwards you the phishing email, before the damage is done.
The alert tells you which IP is sending, how many emails went out, which mail providers received them, and whether your current policy would have blocked them.
For agencies managing client domains, this matters more than it does for single-domain operators. One spoofed client domain is a client relationship at risk. Ten unmonitored client domains is ten open attack surfaces.
How to stop spoofing entirely
Detection tells you it's happening. Prevention stops it.
The fix is moving your DMARC policy from p=none to p=reject. But you can't do that safely until your legitimate email is fully authenticated otherwise you'll block your own emails along with the spoofed ones.
The safe path:
Step 1 Audit your authorized senders
Every service sending email from your domain needs a valid DKIM signature and SPF record. Check your DMARC reports for authorized IPs that are currently failing authentication. Fix those first.
Step 2 Move to p=quarantine
Once your legitimate senders are all passing, move to quarantine. This sends spoofed emails to spam instead of the inbox. Monitor for 2-4 weeks to confirm nothing legitimate is being caught.
Step 3 Move to p=reject
When you're confident everything legitimate is passing, move to reject. Unauthorized senders are now blocked at the mail server level. Your domain can no longer be spoofed successfully.
The whole process takes 2-6 weeks depending on how many sending services you use. For a single domain with one or two senders, it can be done in days.
What this means for agencies
If you manage email infrastructure for clients, each client domain is its own attack surface.
A client running email campaigns probably has three or four authorized senders their ESP, their CRM, their transactional email provider, maybe a support tool. Each one needs to be in SPF. Each one needs DKIM configured. And the DMARC policy needs to be at quarantine or reject before you can say the domain is protected.
Most agency clients are sitting at p=none. Most have never looked at a DMARC report. And most won't know their domain is being used for phishing until a recipient tells them.
The agency that catches it first keeps the client. The agency that finds out from the client has a harder conversation.
Check your domains now
Run this on any domain you manage:
nslookup -type=TXT _dmarc.clientdomain.com
If you see p=none or nothing at all that domain is spoofable today.
Infraova monitors this automatically across all your client domains, parses every DMARC report as it arrives, and fires an alert the moment a spoofing attempt appears. Start a free trial →