Short answer: Yes. Unless your domain is properly protected, anyone on the internet can send emails that appear to come from your exact company address — you@yourcompany.co.uk — without ever touching your account or knowing your password. This is called email spoofing, and it's alarmingly easy. The good news is that three free DNS records — SPF, DKIM and DMARC — can stop most spoofed email from ever reaching its target. Here's how it works and what to do about it.
How email spoofing actually works
Email was designed in the 1980s, long before anyone worried about fraud, and it carries a flaw that has never fully gone away: the "From" address you see in your inbox is just a label. Nothing in the basic design of email forces it to be true. A sender can type whatever they like into that field, the same way you can write any return address you want on the back of an envelope.
So an attacker doesn't need to hack your account to send email "from" you. They run their own mail server, set the From address to your company's domain, and send. To the recipient — a customer, a supplier, a member of your own staff — the message looks genuine, because the name and address on it are genuinely yours. They just weren't put there by you.
This is the uncomfortable part for most business owners: spoofing is a weakness in the email system itself, not a sign that anything of yours has been compromised. Which is exactly why you have to actively close the door — it isn't closed by default.
Why it matters more than people think
Spoofing isn't a theoretical risk. It's the engine behind a large share of real-world fraud. The UK government's Cyber Security Breaches Survey found phishing to be the most common type of attack on businesses by far — affecting 38% of all businesses — and the most disruptive, named as the worst attack by 69% of those hit. The National Cyber Security Centre (NCSC), the UK's authority on this, takes spoofing seriously enough that its takedown service has removed well over a million phishing campaigns impersonating trusted organisations.
For a small business, the harm usually lands in one of three ways. A fraudster spoofs your address to invoice your customers, who pay money into the wrong bank account. They impersonate you to your own staff — a fake email from "the director" asking finance to make an urgent payment. Or they pose as your business to the wider public, sending scams that damage a reputation you've spent years building. In every case the attacker is borrowing your credibility, and your name is the one attached to the fraud.
The three records that stop it: SPF, DKIM and DMARC
The fix is a set of three email authentication standards that, working together, let receiving mail servers verify that a message really came from you. They live in your domain's DNS settings and cost nothing to add.
SPF (Sender Policy Framework) is a published list of the mail servers allowed to send email on your behalf. When a message arrives claiming to be from your domain, the receiving server checks whether it came from a server on your approved list. If not, that's a red flag.
DKIM (DomainKeys Identified Mail) adds a tamper-proof digital signature to every message you send. The receiving server can check that signature against a public key in your DNS to confirm the message genuinely came from your domain and wasn't altered in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the piece that ties it together — and the one most businesses are missing. SPF and DKIM each check a behind-the-scenes address, but neither protects the visible "From" line that recipients actually read. DMARC closes that gap. It checks that the visible From address lines up with the domain that SPF and DKIM verified, and then tells receiving servers exactly what to do with anything that fails: nothing, send to spam, or reject outright.
You need all three. SPF and DKIM without DMARC still leave the door to From-address spoofing open, which is why a domain can look "protected" on paper and still be wide open in practice.
Getting DMARC right: the policy setting that does the work
A DMARC record carries a policy that tells the world how strict you want to be. There are three settings, and moving through them in order is the safe way to do it:
p=none— monitoring only. Nothing is blocked, but you receive reports showing who is sending email using your domain. This is where you start: it reveals your legitimate senders and any spoofing already happening, without risking real mail.p=quarantine— messages that fail are diverted to the spam folder rather than the inbox.p=reject— messages that fail are blocked entirely and never delivered. This is full enforcement and the strongest protection against spoofing.
The goal is to reach p=reject. But you get there carefully — start at none, use the reports to make sure all your genuine email (your website, your accounting software, your marketing platform) is properly authenticated first, then tighten to quarantine and finally reject. Jump straight to reject without checking and you risk blocking your own legitimate email. This staged approach is the part that genuinely benefits from someone who has done it before.
This isn't just best practice any more, either. Since February 2024, Google and Yahoo have required bulk senders to use SPF, DKIM and DMARC — and afterwards the number of unauthenticated messages reaching Gmail users dropped by 75%. The direction of travel is clear: authenticated email gets delivered, unauthenticated email increasingly does not.
What these records can — and can't — do
It's worth being honest about the limits. SPF, DKIM and DMARC stop attackers spoofing your exact domain, which is the most convincing and dangerous kind of impersonation. They are essential, and every business should have them.
What they don't stop is "lookalike" domains — an attacker registering yourc0mpany.co.uk or yourcompany-invoices.com and sending from that instead. Those are different domains, so your records don't apply. Defending against lookalikes needs other measures: staff who know to check the address carefully, monitoring for newly registered domains that resemble yours, and email filtering that flags the near-misses. A complete defence pairs domain authentication with alert people and good filtering — the records do the heavy lifting, but they aren't the whole job.
How to check whether you're exposed right now
You can get a rough sense in a few minutes. Free online tools will look up your domain's SPF and DMARC records and tell you whether they exist and how they're configured. If you have no DMARC record, or it's set to p=none and has been for a long time, your domain is effectively open to spoofing of the From address.
But a clean-looking record isn't the same as real protection. The detail matters — whether every legitimate sender is included, whether alignment is set correctly, whether the policy is actually enforcing. That's the difference between a domain that looks protected and one that is.
How CyberBITS helps
Locking down your domain against spoofing is exactly the kind of unglamorous, high-impact work that's easy to put off and easy to get subtly wrong. We set up SPF, DKIM and DMARC properly, move your policy to full enforcement without breaking your legitimate email along the way, and monitor the reports so it stays effective as your tools and senders change. It also sits squarely within the controls that frameworks like Cyber Essentials expect you to have in place.
Our cybersecurity service covers email authentication end to end — assessing where you stand today, fixing the gaps, and keeping your domain protected for West Midlands and South Staffordshire SMEs who don't have in-house IT.
Frequently asked questions
Does email spoofing mean my account has been hacked? No. Spoofing exploits a weakness in how email works, not a breach of your account. An attacker can forge your address without ever accessing your mailbox or knowing your password. That's why prevention has to be set up deliberately at the domain level.
Are SPF, DKIM and DMARC free? The records themselves are free to add to your domain's DNS. The cost, if any, is the time and expertise to configure them correctly and move to enforcement without disrupting your real email.
How long does it take to protect a domain? The records can be published quickly, but reaching full p=reject enforcement safely usually takes a few weeks of monitoring first, to confirm every legitimate sender is authenticated before you start blocking anything.
What if someone uses a lookalike domain instead? Authentication records only protect your exact domain. Lookalike domains need separate defences — staff awareness, domain monitoring and email filtering — alongside SPF, DKIM and DMARC.
Find out if your domain is exposed
If you've never set up DMARC — or you're not sure whether what you have actually works — check out or free tool or book a free discovery call. We'll check your domain, tell you plainly how exposed you are to spoofing, and what it would take to shut it down. Fifteen minutes, no jargon, no pressure.
This article is general guidance for UK SMEs and not formal security advice. Email authentication standards and provider requirements change over time — check current details before relying on any specific configuration.
Tagged
- email spoofing
- domain spoofing
- SPF DKIM DMARC
- phishing
- UK small business cybersecurity
