Email spoofing is the act of forging an email's sender information to make a message appear to come from a trusted source. That false identity can make a routine message look trustworthy enough to earn a reply, a click, or a payment before anyone questions it.

Understanding what email spoofing is matters because a convincing sender identity can be enough to trigger action before the message is examined more closely.

Email spoofing works because SMTP was originally developed without a sender verification mechanism.

Every email has two layers of sender identity that operate independently. The first is the envelope sender, declared during the SMTP handshake through the MAIL FROM: command. This becomes the Return-Path: header after delivery and is typically invisible to the recipient. The second is the header From: field, which is what the recipient sees in their inbox. This field is a plain-text string inserted into the message data after the SMTP DATA command.

Here is the critical gap: nothing in SMTP enforces a relationship between these two identifiers. An attacker can declare one address in the envelope and write an entirely different address in the header. The recipient's email client displays only the header From: value, so the spoofed identity is all the human sees.

In practical terms, an attacker with access to any mail server or open relay can craft a message with an arbitrary From: field. Email headers and content are text lines sent over TCP, and the protocol trusts whatever values the sender provides.

This is why email spoofing remains one of the simplest attacks to execute and one of the hardest to fully eliminate. The vulnerability is baked into the protocol itself, and every defense built since then has been an aftermarket addition rather than a native fix.

Email spoofing attacks take several forms because attackers can manipulate different parts of a message or rely on visual deception instead of technical forgery.

Here are seven distinct types, organized by the layer each one exploits.

The attacker forges the From: header to display the exact domain of the target organization, such as From: ceo@targetcompany.com. Without authentication protocols in place, the displayed sender is indistinguishable from genuine mail. DMARC with a p=reject policy is the primary defense, as it requires the header domain to align with authenticated envelope or signature domains.

The attacker sets one address in the SMTP MAIL FROM: envelope and a different, trusted address in the message header. Most email clients hide the envelope sender entirely, so recipients see only the spoofed header value. SPF checks the envelope domain but does not evaluate the visible header, which is why SPF alone cannot stop this technique.

The attacker sets the human-readable display name to match a trusted individual while using a completely different, legitimately registered sending address: From: "Jane Smith, CFO" <attacker@unrelatedomain.com>. Many email clients show only the display name and suppress the actual address. Because no header forgery occurs and the attacker's domain is real, SPF, DKIM, and DMARC all pass. This is one of the most common spoofing techniques in targeted attacks against organizations.

The attacker registers a domain that closely resembles the target's domain through subtle character changes: paypa1.com instead of paypal.com, or miicrosoft.com instead of microsoft.com. Valid authentication records are published for the attacker's domain. All protocol checks pass because the domain is real and properly configured. Detection depends on the recipient noticing the visual difference.

A more sophisticated variant of lookalike spoofing, this technique uses a deceptive domain that appears legitimate to the recipient while remaining a distinct domain in the email system. Like other lookalike approaches, it falls outside the protection provided by standard sender-authentication checks.

The attacker sets a legitimate-looking From: address but points the Reply-To: field to an attacker-controlled address. If the recipient replies, their response goes directly to the attacker. This technique is commonly used in impersonation attacks where the goal is to start a conversation rather than deliver a malicious link.

An attacker who legitimately receives a properly DKIM-signed email can retransmit it to entirely different recipients. The cryptographic signature remains valid because the message content has not changed. Detection requires contextual analysis, such as identifying unexpected recipients or timing patterns, rather than protocol-level checks.

The critical takeaway across all seven types: authentication protocols address some of these techniques effectively, while display name spoofing, lookalike domains, homograph domains, and DKIM replay fall outside the scope of SPF, DKIM, and DMARC.

Email spoofing causes documented financial harm and continues to appear as part of broader fraud campaigns.

According to the FBI IC3, phishing and spoofing generated 191,561 complaints in 2025. BEC schemes, which frequently rely on spoofing as an initial delivery mechanism, accounted for approximately $3.05 billion in reported losses that same year.

These attacks often arrive at a moment when a financial transaction is expected, target the person authorized to approve payments, and use a sender identity the recipient has no reason to question. The technical sophistication of the spoofing technique often matters less than the social engineering context surrounding it.

FBI scenarios often include real estate transactions, insurance payments, vendor invoices, and executive wire approvals because they involve large sums, time pressure, and established trust relationships.

Email spoofing, phishing, and BEC describe different parts of an attack.

Email spoofing is a technique: forging sender identity in an email. It is one tool in a larger toolkit.

Phishing is an attack category: using social engineering to trick someone into revealing credentials, sending money, or taking a compromising action. Phishing often uses email spoofing as a delivery mechanism, and it can also work through legitimately registered lookalike domains, compromised accounts, or even text messages and phone calls. Some phishing attacks involve spoofing, and some do not.

Business email compromise is a campaign type: targeted financial fraud that exploits business processes like wire transfers, payroll changes, or invoice payments. BEC may use spoofing, and it frequently relies on actual account takeover instead. When an attacker sends from a genuinely compromised email account, no spoofing is involved, and the email passes every authentication check because it originates from the real account.

The practical distinction matters for defense planning. Investing exclusively in anti-spoofing protocols leaves an organization exposed to BEC attacks that use compromised accounts and phishing campaigns that use legitimately registered domains.

Preventing email spoofing requires a layered approach that combines domain-level authentication, organizational processes, and individual awareness.

Sender Policy Framework (SPF) allows a domain owner to specify which IP addresses are authorized to send email on their behalf. Receiving mail servers check the sending IP against the domain's published SPF record and flag or reject messages that fail. SPF is a necessary foundation, though it only validates the envelope sender, not the header From: field visible to recipients.

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing messages. The receiving server verifies the signature against a public key published in DNS. If the content has been altered in transit, the signature fails. DKIM survives mail forwarding when message content remains intact, giving it an advantage over SPF in forwarding scenarios.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together by requiring that the authenticated domain align with the visible From: header domain. DMARC policies range from p=none (monitor only) to p=reject (block failing messages at the server). According to CISA guidance, setting DMARC to p=reject provides the strongest protection against spoofed email.

Authenticated Received Chain (ARC) preserves authentication results as messages pass through intermediate mail servers. When forwarding breaks SPF or modifies content enough to invalidate DKIM, ARC provides a chain of custody that receiving servers can evaluate. ARC is not a replacement for the core three protocols, though it addresses a documented gap in environments with heavy mail forwarding.

Human awareness remains necessary because technical controls cannot catch every spoofing technique.

Display name spoofing and lookalike domains pass all protocol checks, so the final layer of defense is the person reading the email. Organizations can support this through security awareness training that teaches employees to verify unexpected payment requests through a second communication channel, inspect sender addresses carefully on mobile devices, and treat urgency as a warning signal rather than a reason to act faster.

Recognizing email spoofing usually comes down to checking for mismatched identity signals, suspicious urgency, and unexpected requests.

Here are a few indicators worth checking:

• Mismatched Sender Details: The display name says one thing, but expanding the sender field reveals a different domain or an unexpected address. This is especially important to verify on mobile devices, which often hide the full address.

• Unusual Urgency or Pressure: Spoofed emails frequently create artificial time pressure, such as a suspended account, a missed deadline, or an executive who needs an immediate wire transfer. Legitimate requests rarely penalize a brief verification pause.

• Unexpected Payment Instructions: Any email that changes banking details, requests a new wire destination, or introduces a new payment method deserves independent confirmation through a known phone number or in-person conversation.

• Subtle Domain Variations: A single transposed character, a numeral substituted for a letter, or an unfamiliar top-level domain can indicate a lookalike domain. A helpful habit is to hover over the sender address and read it character by character.

• Generic Greetings and Formatting Errors: While increasingly sophisticated attackers produce polished messages, many spoofed emails still contain generic salutations, inconsistent formatting, or grammar that does not match the supposed sender's typical communication style.

When something feels off, verification through a separate channel before clicking, replying, or transferring funds can be the most effective response.

Email spoofing persists because email was never designed to verify who sent a message. SPF, DKIM, and DMARC close important gaps, though they do not stop every form of deception. The strongest defense combines authentication, clear verification processes for sensitive requests, and people who know when to pause and double-check.