Understanding spoofing detection alerts

Infraova automatically receives DMARC aggregate reports from major email providers Gmail, Yahoo, and Microsoft every 24 hours. These reports list every email sent using a monitored domain as the sender address, including emails sent by unauthorized parties.

When a report shows messages where both DKIM and SPF authentication failed, Infraova identifies those as spoofing attempts and fires a critical alert automatically. No manual action is required.

Each spoofing alert includes the attacker's source IP address, the hostname that IP resolves to (looked up in real time), the number of emails sent, your client's current DMARC policy, and whether that policy is blocking or quarantining the spoofed messages.

If the policy is p=reject, spoofed emails are blocked outright. If it is p=quarantine, they go to spam but are not fully rejected. If it is p=none, spoofed emails reach the inbox with no enforcement.

On any real spoofing alert, the Actions panel includes a Send incident report button. Clicking it sends a professional email to the contact address on the client record, summarizing what happened, which IP was involved, and what DMARC action is recommended.

If no contact email is set on the client record, the button shows an amber notice with a link to add one. The send button is only available on real spoofing alerts not on test alerts.

Every domain detail page has a Spoofing history card showing all recorded spoofing attempts over the last 90 days, grouped by attacker IP with message counts and trend direction (rising, stable, or falling). This is always visible not just when an active alert exists.

The Spoofing history card includes a Send test spoofing alert button. Clicking it fires a real alert through the real pipeline live reverse DNS lookup, real database write, real history entry so you can verify everything works end-to-end before a real attack arrives.

Test alerts are clearly marked [TEST] everywhere they appear and never trigger email or Slack notifications. The button is rate-limited to once per domain per 24 hours.

Spoofing alerts fire once per unique attacker IP per domain per report cycle. If the same IP sends spoofed emails across multiple report cycles, the alert is reopened rather than duplicated. This keeps your alert list clean while still surfacing repeat attackers.

The first real spoofing alert for a domain typically arrives 24-48 hours after DMARC reporting is set up, once email providers send their first aggregate report covering the reporting address in your DMARC record.