title: “Is Your Domain Being Spoofed? How to Detect Email Impersonation Attacks”
slug: “is-your-domain-being-spoofed-detect-email-impersonation-attacks”
url: “/is-your-domain-being-spoofed-detect-email-impersonation-attacks”
date: “2026-04-23”
author: “Mike Walton”
keywords:
– “domain spoofing detection”
– “email impersonation attacks”
– “detect email spoofing”
– “DMARC spoofing protection”
– “business email compromise”
tags:
– “Email Security”
– “DMARC”
– “Email Spoofing”
– “Cybersecurity”
status: “draft”
Is Your Domain Being Spoofed? How to Detect Email Impersonation Attacks
By Mike Walton, Founder of CertMS
*With 20+ years managing IT infrastructure and email systems, I’ve helped organizations discover uncomfortable truths hiding in their DMARC reports. The most common reaction when they see evidence of spoofing? “We had no idea this was happening.”*
Someone is probably sending email as your domain right now. Not your marketing team. Not your sales reps. Someone you’ve never met, pretending to be you.
According to FBI IC3’s 2025 report, business email compromise losses hit $3.04 billion last year. That’s a 10% increase from 2024. And Proofpoint sees approximately 23 million messages per day from unauthorized senders potentially spoofing trusted domains.
Your domain could be contributing to those numbers without you knowing it. Here’s how to find out.
The Spoofing Problem You Probably Don’t Know You Have
Email spoofing happens when someone sends messages using your domain in the From address without your permission. The recipient sees an email that looks like it came from you. Their email client displays your company name. Your domain appears legitimate.
But the email came from an attacker’s server.
Domain spoofing occurs in 50% of BEC attempts, according to Hoxhunt’s research. Attackers create fake invoices, password reset requests, or urgent payment demands—all appearing to come from your organization.
The scary part? If you haven’t implemented DMARC enforcement, or if you’re still on a monitoring policy, these spoofed emails get delivered. Your customers receive them. Your partners trust them. And your brand takes the damage when the attack succeeds.
Why Traditional Security Misses Domain Spoofing
You might be thinking: “We have spam filters. We have email security. Wouldn’t we know?”
Not necessarily.
Traditional email security focuses on protecting your inbox—blocking malicious emails sent *to* your organization. Domain spoofing attacks target your *outbound* identity. Someone impersonates *you* to attack *others*.
Your spam filters never see these emails. They’re sent from the attacker’s infrastructure to your customers, partners, and vendors. The only way to detect them is through DMARC reports—and 57.9% of organizations with DMARC stay stuck at p=none, collecting reports they never read.
Meanwhile, 64% of businesses faced BEC attacks in 2024. The average loss per incident? $187,000.
How to Check If Your Domain Is Vulnerable
Before looking for active spoofing, check whether your domain *can* be spoofed. Several free tools make this straightforward.
Quick Vulnerability Assessment
KnowBe4’s Domain Spoof Test reviews your SPF, DKIM, and DMARC records to determine if attackers could successfully spoof your domain. It’s free and takes about 30 seconds.
CanIBeSpoofed runs 14 distinct checks to assess your exposure level. It identifies specific vulnerabilities in your email authentication configuration.
PowerDMARC’s domain checker provides a security rating based on your current authentication setup.
If any of these tools reports vulnerabilities, attackers can send email as your domain. That doesn’t mean they *are*—but it means they *can*, with zero technical barriers.
What Makes a Domain Spoofable?
Your domain is vulnerable if:
- You have no DMARC record published
- Your DMARC policy is p=none (monitoring only)
- Your SPF record is misconfigured or missing
- Your DKIM isn’t set up for all sending sources
- Your DMARC percentage (pct) is below 100
- Run a reverse DNS lookup on the IP address
- Check if it resolves to a known email service (SendGrid, Mailchimp, Amazon SES)
- If yes, someone in your organization might be using that service without IT knowledge
- If no—or if it resolves to a generic hosting provider—you’re likely seeing spoofing
Any of these gaps creates an opening. Attackers actively scan for vulnerable domains—organizations with authentication gaps are soft targets.
Detecting Active Spoofing in Your DMARC Reports
If you’ve set up DMARC with reporting enabled, you’re already receiving evidence of spoofing attempts. The challenge is finding it.
Those XML files arriving daily from Gmail, Yahoo, and Microsoft contain records of every email sent using your domain—including unauthorized ones. As we covered in our guide to reading DMARC reports, these reports show exactly which IP addresses are claiming to send as you.
Red Flag #1: Unknown IP Addresses Sending High Volume
According to Red Sift’s spoofing detection guide, “High message counts from unknown IPs are red flags. If an IP you do not recognize sent 10,000 messages as your domain in a single day, that is either a misconfigured service or active spoofing.”
When you see volume from an IP you don’t recognize:
Unknown IPs that consistently fail both SPF and DKIM authentication are almost always spoofing attempts.
Red Flag #2: Authentication Failures from Unrecognized Sources
Your DMARC aggregate reports include authentication results for every email batch. The critical section looks like this:
xml
none
fail
fail
When both DKIM and SPF fail, the sender couldn’t authenticate as your domain. If the source IP is unknown, that’s spoofing.
As DMARC Report explains: “Unknown IPs that consistently fail authentication are often signs of spoofing attempts.”
Red Flag #3: Geographic Anomalies
Traffic from countries or networks completely unrelated to your operations is suspicious. If your company operates exclusively in the United States but your DMARC reports show thousands of emails originating from servers in regions where you have no presence, investigate.
Spoofing operations often use infrastructure in jurisdictions with limited cybercrime enforcement.
Red Flag #4: Off-Hours Volume Spikes
Red Sift notes that “spikes when your team doesn’t send (e.g., 2–5 AM local) are classic spoofing signatures.”
Your legitimate email has patterns. Marketing campaigns go out during business hours. Transactional emails correlate with user activity. Spoofing campaigns don’t follow these patterns—they run whenever the attacker launches them.
Investigating Unknown Senders
You’ve spotted suspicious activity. Now what?
Step 1: Identify the Source
For any unknown IP in your reports, start with reverse DNS:
dig -x 192.0.2.1
If it resolves to something like mail-yw1-f41.google.com, that’s Google’s infrastructure—likely a legitimate but misconfigured sender. If it resolves to a generic cloud provider or has no reverse DNS at all, proceed to step 2.
Step 2: Check IP Ownership
Use WHOIS to identify who owns the IP range. MXToolbox provides easy lookups. Major cloud providers and email services have recognizable allocations.
Step 3: Cross-Reference Your Vendor List
AutoSPF’s research found that many authentication failures come from “organizations adopting new email services, switching hosting providers, or starting using third-party tools without updating their SPF records.”
Before assuming the worst, check with your teams:
That “suspicious” sender might just be a tool someone adopted without telling IT.
Step 4: Assess the Threat
If investigation reveals:
You’re looking at active spoofing. Someone is sending email as your domain to attack others.
Real-World Spoofing: What It Looks Like in Practice
Understanding the threat helps contextualize what you might find in your reports.
The $100 Million Google and Facebook Attack
Between 2013 and 2015, a Lithuanian attacker spoofed the domain of a legitimate vendor that both tech giants used. By sending fraudulent invoices from the impersonated domain, he stole over $100 million before getting caught.
The attack succeeded because finance teams trusted emails that appeared to come from a known vendor. Proper DMARC enforcement at the vendor’s domain could have prevented the spoofed messages from ever reaching their targets.
Vendor Impersonation at Scale
Vendor impersonation increased 41% year-over-year according to Threatcop’s research. Attackers identify business relationships—suppliers, partners, service providers—then spoof those domains to request payment changes or send fraudulent invoices.
Your domain could be used to attack your own customers. Or a vendor’s spoofed domain could be used to attack you. Either way, DMARC enforcement breaks the chain.
The AI-Powered Escalation
The threat is getting worse. 82.6% of phishing emails now contain AI-generated content, making spoofed messages more convincing than ever. Grammatical errors and awkward phrasing—the traditional tells of fraudulent email—are disappearing.
By mid-2024, an estimated 40% of BEC phishing emails were AI-generated. In 2026, the percentage is certainly higher. If attackers can convincingly spoof your domain *and* craft believable content, your recipients have almost no chance of detecting the fraud manually.
What Spoofing Costs Your Organization
Even if attackers aren’t directly stealing from you, spoofing damages your business.
Brand Reputation
When your customers receive phishing emails “from” you, they lose trust—even if they don’t fall for the scam. They’ll hesitate before opening legitimate emails. They’ll question whether your communications are real. Some will complain publicly.
Deliverability
Major email providers track domain reputation. If your domain sends spoofed emails that recipients mark as spam (even though you didn’t send them), your legitimate email deliverability suffers. Organizations at p=reject see 85-95% inbox placement rates because they’ve proven their domain isn’t compromised.
Compliance Liability
If you process payments, PCI DSS 4.0 mandated DMARC implementation by March 2025. Non-compliance can trigger penalties up to $100,000 per month. And if spoofed emails from your domain contribute to a customer’s financial loss, you could face regulatory scrutiny.
Customer Relationships
When attacks succeed, victims often blame the impersonated organization—not the attacker. “Why didn’t you protect your email domain?” isn’t an unreasonable question from a customer who lost money to a fake invoice that appeared to come from you.
The Detection-to-Protection Pipeline
Finding spoofing is step one. Stopping it is the goal.
Stage 1: Gain Visibility
You can’t protect what you can’t see. If you’re not receiving DMARC reports, you have zero visibility into who’s sending email as your domain.
Set up a basic DMARC record with reporting:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
This tells email providers to send you aggregate reports. You’ll start seeing data within 24-48 hours.
The problem? Those reports arrive as compressed XML files. A busy domain might receive dozens daily. Manually parsing them is tedious at best, impossible at scale.
Stage 2: Analyze Systematically
This is where tools like MonitorDMARC become essential. The platform accepts your RUA reports, parses the XML automatically, and presents data in dashboards organized by sending source, authentication status, and volume trends.
Instead of reading XML, you see:
Anomalies that would hide in raw data become obvious when visualized properly.
Stage 3: Remediate Issues
Your reports will reveal two categories of problems:
Legitimate senders failing authentication: These need configuration fixes. Update your SPF record to include missing services. Configure DKIM signing for third-party vendors. Ensure alignment so your From address matches your authenticated domains.
Illegitimate senders (spoofing): These require policy enforcement. You can’t stop attackers from trying to spoof your domain. But you can tell receiving servers to block their attempts.
Stage 4: Enforce
Our guide to DMARC enforcement covers the journey from p=none to p=reject in detail. The short version:
At p=reject, emails that fail DMARC don’t get delivered. Spoofing attempts get blocked at the receiving server—before they reach anyone’s inbox.
Stage 5: Monitor Continuously
Enforcement isn’t the end. Attackers adapt. Your email infrastructure changes. New services get added. Keys expire.
MonitorDMARC provides ongoing visibility:
Without continuous monitoring, you might not notice a problem until deliverability drops or customers complain.
Action Items: What to Do This Week
Stop wondering whether your domain is being spoofed. Find out.
Today:
This Week:
This Month:
Stop Flying Blind
Your DMARC reports already contain the evidence you need. Every unauthorized sender is documented. Every spoofing attempt is recorded. The data has been sitting in your inbox, waiting to be read.
The organizations that get breached aren’t the ones who lacked the data—they’re the ones who never looked at it.
MonitorDMARC transforms those unreadable XML files into clear dashboards that show exactly who’s sending email as your domain. Start your free 14-day trial (no credit card required) and see what’s really happening.
Because right now, someone might be sending email as you. The only question is whether you’ll find out from your DMARC reports—or from an angry customer who fell for the scam.
*Mike Walton is the founder of CertMS, a certificate management platform. He has 20+ years of experience in IT infrastructure and PKI management.*
Word Count: 2,732