The Email That Looks Like It Came From You

By Resolute Security

Field notes from a senior-led security practice

A client called me one morning sounding more confused than panicked, which is usually worse. One of her best customers had just rung her up to ask why she had emailed him new banking details for an outstanding invoice. She had not. There was no breach, no stolen laptop, no one logged into her account. And yet there it was in his inbox: her company name, her usual sign-off, a polite note about updated wire instructions. The customer almost paid it. He called first only because the amount was large and the timing felt slightly off.

This is spoofing, and it is one of the most misunderstood risks a small business faces. Nobody got into her account. Someone simply sent email that looked like it came from her domain. I want to explain the difference, because it changes what you can actually do about it, and then I want to show you the part that has quietly become a revenue problem too.

Spoofing your domain is not the same as hacking your account

When your account is compromised, an attacker has your password and is logged in as you, sending real mail from your real mailbox. That is a serious incident, and the fix is built on strong passwords and multi-factor authentication. We have written about both of those, and they matter.

Spoofing is different and, in a way, sneakier. Email was designed in a more trusting era, and by default anyone on the internet can stamp your domain in the “From” line of a message they send. They never touch your systems. They do not need your password. They just write your name on an envelope and drop it in the mail. To your customer, your supplier, or your own staff, it looks like you. And here is the part that catches people: if you have not set up email authentication, you have no way to stop it, and no way to even know it is happening.

The three records that prove an email is really from you

The good news is that the fix is a standard, and it has been for years. It comes in three parts that work together. They sound technical, but the idea behind each one is simple.

  • SPF publishes a list of the servers allowed to send email for your domain, so a receiving mail server can check whether a message came from one of them.
  • DKIM adds a tamper-proof digital signature to your outgoing mail, so the receiver can confirm the message really came from your domain and was not altered in transit.
  • DMARC ties the two together and tells receiving servers what to do when a message fails those checks, and it sends you reports so you can see who is sending mail in your name.

That last point is the one people miss. DMARC is not only a lock. It is also a window. Once it is reporting, you finally get to see every source sending email under your domain, the legitimate ones you forgot about and the imposters you never knew existed. For most owners I work with, that visibility is the first time they have ever actually known.

It is now a deliverability problem, not just a security one

Here is the change that turned this from a “should do” into a “must do.” Starting in 2024, Google and Yahoo began requiring bulk senders to authenticate their mail with SPF, DKIM, and DMARC, or risk having it filtered or rejected. The threshold was aimed at high-volume senders, but the practical effect has rippled outward. Mail providers across the board now treat authentication as a basic signal of whether you are trustworthy.

So this is no longer only about stopping criminals from impersonating you. It is about whether your own invoices, quotes, and customer emails reach an inbox at all. Get authentication wrong and your legitimate mail starts landing in spam, or vanishing entirely, and you find out weeks later when a client says they never got the proposal. Get it right and you protect both your brand and your ability to actually reach the people you do business with. That is security earning its keep.

Do not jump straight to reject

This is where I have to slow people down, because the temptation is real. DMARC has a policy setting that tells the world what to do with mail that fails the checks. There are three levels, and you move through them in order.

You start at p=none, which blocks nothing and simply collects reports. Then you move to p=quarantine, which sends failing mail to the spam folder. Finally you reach p=reject, which tells receiving servers to refuse failing mail outright. Reject is the goal. It is the setting that stops someone from sending mail that uses your exact domain, which is the most convincing version of the scam.

But please do not start there. If you switch on reject before you understand who sends mail for you, you will block your own legitimate email. Your accounting software, your appointment reminders, your newsletter tool, your CRM, the third party that emails customers on your behalf, all of them send mail using your domain, and any one of them that is not properly authenticated will get rejected the moment you flip that switch. I have seen a business turn on reject in a burst of enthusiasm and silence its own invoice reminders for a week.

The right order is calm and boring. Start at none. Read the reports for a few weeks. Find and fix every legitimate sender until they all pass. Move to quarantine and watch again. Only then tighten to reject, once the reports show nothing real is failing. It takes patience, not heroics.

Where this gets fiddly, and what to do about it

I will be honest with you: the concepts here are simple, but the details are fussy. SPF records have a limit on how many lookups they can contain, and it is easy to quietly exceed it. DMARC reports arrive as dense XML files that are genuinely unpleasant to read by hand. DKIM keys need to be published correctly on every sending service. None of this is hard once you have done it, but the first time through is where mistakes happen, and a mistake means your own mail stops flowing.

That is exactly why we built tools to take the sharp edges off. You can check what your domain looks like to an attacker right now with our free email exposure scan, generate a clean SPF record with the SPF builder, and stand up and read your policy with the DMARC tools. They turn the XML into plain English and tell you what is safe to tighten and what is not.

You do not have to become an email engineer to stop people from impersonating your business. You need three records, a little patience, and the discipline to read the reports before you lock the door. Set it up properly and an email that uses your exact domain to ask your customer for new wire details gets refused before it ever lands. It will not stop a look-alike domain or a hacked mailbox, but it shuts the easiest and most convincing door, and it keeps your real mail flowing. Now go check what the rest of the internet can already send in your name.

Further reading

Leave a Reply

Your email address will not be published. Required fields are marked *