On spoofing · The verdict, and the receipt

Spoofed mail doesn't reach your inbox.
And we show our work.

Most inboxes let a message that fails authentication through and clip a vague warning to it. Folio does the opposite: mail that can't prove who sent it is filed to Spam on arrival — and when anything is flagged, the letter says why, in plain English, right next to the checks that made the call.

Checked on arrival

SPF · DKIM · DMARC

Filed before

content is scored

Every flag

explained in plain English

Start freeRead the release notes

I · The black box

The industry built spam filtering to avoid annoying senders.

Watch how the big inboxes actually treat a forged sender. Proton documents that it doesn't refuse a message even when the domain's own policy says to reject it — it sends the mail to spam with a warning. Fastmail is explicit that authentication results only nudge a spam score; mail is not outright rejected. The verdict gets delegated to whatever policy the spammer's domain happens to publish.

And the reason a message was flagged? It's there — buried in raw headers behind “Show original,” written for machines. The one banner a person actually sees says some flavor of “be careful,” which is why the most common follow-up search is how to make the warning go away. A black box that says maybe teaches you to click anyway.

II · The verdict, and the receipt

We make the call — then hand you the receipt.

Refuse

Unverifiable mail never lands

A message with no passing SPF and no passing DKIM — or a From-domain whose DMARC policy says to reject failures — is filed straight to Spam on arrival, before it's ever scored on content. Even a forged domain that publishes no policy at all can't dodge the check by staying silent.

Explain

The reason, in plain English

Open a flagged letter and the authentication results are written out as sentences, not status codes — what SPF, DKIM, and DMARC each found, and what it means for this message. No raw headers, no decoder ring.

Contextualize

History, framed as history

A sender's track record is shown as exactly that — context, never a verdict. A domain with a strong history still has to pass the authentication sitting right beside it, because history keys on a name that can be forged.

FromBilling <billing@your-bank.example>
Sent viamail.unknown-host.example
SubjectVerify your account now

SPF failedDKIM failedDMARC no policy→ Kept out of your inbox

Warning · Sender checks didn't add up

We moved this letter to spam because sender checks didn't add up.

SPF
The sending server is not on this domain's published list of approved senders.
DKIM
The letter's cryptographic signature didn't verify — it may have been altered in transit, or the signature is forged.
DMARC
The sending domain hasn't published an authentication policy.
HISTORY
We've seen relatively little mail from this sender, so there's little track record to vouch for it.
Reproduced from the in-product message-details card

III · The question everyone searches

“I got an email from my own address.”

It's the most frightening message in the inbox, and the most misunderstood. Anyone can type your address into the From line — it proves nothing about access to your account. You almost certainly weren't hacked.

And on Folio, you'd never have seen it. A letter claiming to be from your domain that can't pass that domain's authentication is filed to Spam on arrival — with the forgery named, not hinted at.

IV · The difference, row by row

Same forged letter. Two very different inboxes.

When…Most inboxesFolio
a message fails authenticationit still lands, with at most a warning attachedit's filed to Spam on arrival, before content is even scored
the forged domain publishes no DMARC policythe silence buys the forgery the benefit of the doubtsilence doesn't help it — the message is still kept out
you want to know why it was flaggedread the raw headers behind “Show original”it's written in plain English, next to each failed check
someone is forging your own domainraw DMARC report XML in your inbox, if anythingcharted per-domain on your Deliverability page

Competitor behavior above is drawn from each provider's own published documentation — see Sources. Providers revise their filters quietly; these reflect the cited pages.

V · The honesty clause

We never pretend a forgeable address is proof.

Two different signals get conflated everywhere else, so we keep them apart on purpose. Authentication — SPF, DKIM, DMARC — cryptographically verifies that a message really is from the domain it claims. Reputation is only what we've seen of a domain's sending history. One answers is it really them; the other answers should I care.

So Folio will never show a green “trusted sender” badge off reputation alone — a forger can put a reputable name in the From line. Positive history appears only on mail that has already passed authentication, and it's worded as how recipients behave, not as a guarantee of identity. We tell you what we verified, and what we couldn't.

VI · If you own the domain

See who's forging your domains — and who's passing.

The same authentication Folio runs on the way in, it reads on the way out for your own domains. DMARC aggregate reports — usually opaque daily ZIPs — are diverted out of your inbox, parsed server-side, and charted on a Deliverability page: per-domain pass rates, daily trends, and the source IPs sending as you and failing.

Every domain you bind wires up its own report address automatically, and once a domain shows a clean window, Folio nudges you up the policy ladder from p=none toward p=quarantine and p=reject — so forged mail is actually held, not merely logged.

Free toolDomain health checkFree toolSPF record generatorRelease notesThe Deliverability dashboard

VII · Plainly asked

Questions, answered.

I got an email from my own address — was I hacked?
Almost always, no. Anyone can write your address into the From line of a message; it proves nothing about access to your account. That is exactly the forgery Folio refuses to deliver: a message claiming to be from your domain that can't pass that domain's authentication is filed to Spam on arrival, with the failed checks spelled out.
Won't blocking unverified senders eat my real mail?
Folio only hard-files mail that actively fails authentication — no passing SPF and no passing DKIM, or a From-domain whose own DMARC policy says to reject failures. Authentication that is merely missing or temporarily unreachable fails open, so a misconfigured-but-honest sender isn't punished. Anything flagged is explained and recoverable from the Spam folder, never silently deleted.
Doesn't Gmail already do this?
Gmail leans on the sender's own published policy and shows a single category-level note; the per-check detail lives behind “Show original” in raw headers. Folio files unverifiable mail before it's ever scored on content, holds the line even when a forged domain publishes no policy at all, and writes the reason out in plain English next to each failed check.
What do SPF, DKIM, and DMARC actually mean?
SPF lists which servers may send for a domain. DKIM is a cryptographic signature proving a message wasn't altered and came from the domain it claims. DMARC ties the two to the visible From address and tells receivers what to do when they don't line up. Folio runs all three on every incoming letter and tells you, in a sentence each, what they found.

An inbox that proves itself.

One person running many businesses, every domain's mail verified on the way in and watched on the way out. Start free — no card.

Start freeSee the whole inbox

Sources