Email spoofing, explained: how it works and what actually stops it

One-paragraph answer. Email spoofing is forging the From address of a message so it appears to come from someone it didn’t. It works because the email protocol, designed in an era of mutual trust, never required the From line to be truthful — anyone can type any address there. Spoofing powers phishing, sextortion, and CEO-fraud scams, and it’s stopped by authentication: SPF, DKIM, and DMARC on the sending side to protect your domain, and an inbox that enforces them on the receiving side to protect what you read. Here’s the whole picture.

What email spoofing is

Spoofing is forgery of identity, not theft of access. A spoofer doesn’t need to break into an account; they simply write a false address into the From field, the same way anyone can write someone else’s name as the return address on a paper envelope. The message is genuinely sent — just under a borrowed name. That distinction matters: a spoofed message from “your” address doesn’t mean you were hacked, and securing your password does nothing to stop the next one.

How spoofing works (and why it’s so easy)

When a server sends mail, the recipient’s server reads two separate “from” values: the envelope sender used for routing, and the header From you actually see in your inbox. Neither was required to be true by the original standard, so a sender can set them to anything. There’s no built-in step that asks “is this really you?” — which is why three add-on checks were invented to answer exactly that question:

• SPF — is the sending server on the domain’s authorized list?
• DKIM — does the message carry an unbroken cryptographic signature from the domain it claims?
• DMARC — do those align with the visible From address, and what should happen if they don’t?

A spoofed message fails SPF and DKIM for the domain it’s pretending to be. Whether you ever see it depends entirely on whether the receiving inbox enforces the result — explained in detail in what SPF, DKIM, and DMARC fail mean on mail you receive.

What spoofing is used for

• Phishing. A message that looks like it’s from your bank, employer, or a service you use, steering you to a fake login page.
• Sextortion and self-spoofing. Mail forged to come from your own address to make a blackmail bluff feel credible — alarming and almost always empty.
• Business email compromise (CEO fraud). A forged note from an executive asking finance to wire money or buy gift cards, exploiting authority and urgency.
• Brand impersonation. Forging a company’s domain to defraud its customers — which is why protecting your own domain is a duty to the people who trust it.

How to spot a spoofed email

• Check the authentication results. Open the raw headers (in Gmail, “Show original”) and look for dmarc=fail. On a careful sender’s domain, that’s a near-certain forgery.
• Hover before you click. A display name or From address can lie; the real destination of a link often gives it away.
• Watch for a mismatched Reply-To. Spoofers frequently set the reply address to something unrelated to the From.
• Distrust urgency. Pressure to act now — pay, log in, confirm — is the oldest tell in the book.

What stops spoofing: the receiving side

Doing that analysis by hand on every message isn’t realistic, and most inboxes won’t do it for you — they fail open, delivering unauthenticated mail with at most a warning. Folio takes the opposite stance: it runs SPF, DKIM, and DMARC on every incoming letter and files mail that fails authentication straight to Spam on arrival, before content scoring, then explains in plain English which check failed. Forgeries simply don’t reach the inbox — and honest senders whose authentication is merely missing or temporarily unreachable still get through. If you’re troubleshooting spam that looks like it’s from you specifically, see how to stop spam from your own address.

What stops spoofing: protecting your own domain

The receiving side protects what you read; the sending side protects your name in everyone else’s inbox. If you own a domain, publish SPF and DKIM and set a DMARC policy so other inboxes reject forgeries of your address. Check where your domain stands with a free domain health check, build a correct record with the SPF record generator, and move DMARC up the ladder from p=none toward p=reject once a clean window proves legitimate mail passes.

Frequently asked

What is email spoofing?

Email spoofing is forging the From address of a message so it appears to come from someone it didn’t. It’s forgery of identity, not theft of access — the spoofer never touches the real account, they just write a false address into a field that the email protocol never required to be truthful. It’s the mechanism behind most phishing and impersonation scams.

How does email spoofing work?

A sending server can set both the envelope sender and the visible From header to any value, because the original email standard didn’t require them to be true. Three later checks — SPF, DKIM, and DMARC — exist to verify the real sender, and a spoofed message fails them for the domain it imitates. Whether you see the message depends on whether your inbox enforces those results.

Is email spoofing the same as hacking?

No. Hacking means someone gained access to an account; spoofing means someone forged a From address without any access at all. A spoofed message from your own address is not evidence of a breach. You can confirm by checking sign-in activity and your Sent folder — a forgery leaves no trace inside your account.

How can I tell if an email is spoofed?

Check the authentication results in the raw headers for a DMARC fail, which is a strong sign of forgery on a careful sender’s domain. Hover over links before clicking, watch for a Reply-To that doesn’t match the From, and distrust urgent demands for money or credentials. An inbox that enforces authentication makes this judgment for you and files forgeries to spam.

How do I stop email spoofing?

On the receiving side, use an inbox that enforces SPF, DKIM, and DMARC and refuses to deliver mail that fails them. On the sending side, for a domain you own, publish SPF and DKIM and tighten DMARC to p=reject so other inboxes refuse forgeries of your address. The two together protect both what you read and your name in everyone else’s inbox.