Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

How Do I Stop My Domain Being Spoofed?

Quick Answer

Implement SPF, DKIM, and DMARC on your domain. These email authentication standards prove which emails genuinely come from you—and tell receiving servers to reject fakes.

Quick answer: Implement SPF, DKIM, and DMARC on your domain. These email authentication standards prove which emails genuinely come from you—and tell receiving servers to reject fakes.

Why Your Domain Gets Spoofed

Email was designed in a more trusting era. By default, anyone can send email claiming to be from any address. There's no built-in verification.

Attackers exploit this to:

  • Send phishing emails "from" your domain to your customers
  • Commit invoice fraud using your identity
  • Damage your reputation
  • Bypass trust-based security
Without email authentication, you have no control over who uses your domain.

The Three Standards

SPF (Sender Policy Framework)

What it does: Lists which mail servers are authorised to send email for your domain.

How it works: You publish a DNS record listing your legitimate sending servers. Receiving servers check incoming mail against this list.

Example: `v=spf1 include:spf.protection.outlook.com -all`

This says "Only Microsoft 365 can send mail for us. Reject everything else."

DKIM (DomainKeys Identified Mail)

What it does: Adds a digital signature to your emails proving they're genuine.

How it works: Your mail server signs outgoing emails with a private key. Receiving servers verify using your public key published in DNS.

Why it matters: Unlike SPF, DKIM survives email forwarding. The signature travels with the message.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: Tells receiving servers what to do when SPF or DKIM fail, and sends you reports.

How it works: You publish a policy:

  • `p=none` - Monitor only (don't take action)
  • `p=quarantine` - Send failures to spam
  • `p=reject` - Block failures completely
The goal: Get to `p=reject` so fake emails are blocked.

Implementation Path

Step 1: Check current state

Use our Domain Health Check or online tools to see what you have now.

Step 2: Implement SPF

List all legitimate senders:
  • Your email provider (Microsoft 365, Google, etc.)
  • Marketing platforms (Mailchimp, HubSpot, etc.)
  • Transactional email services
  • Any system that sends email as your domain

Step 3: Implement DKIM

Enable DKIM signing in your email provider. Publish the DKIM keys in DNS.

Step 4: Implement DMARC at p=none

Start monitoring without blocking. `v=DMARC1; p=none; rua=mailto:[email protected]`

Step 5: Review DMARC reports

See who's sending email as your domain. You'll find:
  • Your legitimate services (should pass)
  • Services you forgot about (need adding to SPF/DKIM)
  • Attackers spoofing you (should fail)

Step 6: Fix issues

Add legitimate services to SPF. Enable DKIM where missing. Investigate failures.

Step 7: Move to p=quarantine

Failed emails go to spam. Monitor for problems.

Step 8: Move to p=reject

Failed emails are blocked. Full protection.

Common Mistakes

Forgetting sending services That marketing platform, that ticketing system, that old application—they all need to be in SPF or have DKIM.

Breaking legitimate email Moving to enforcement too quickly breaks email from forgotten services. The monitoring phase prevents this.

SPF too long SPF records have length limits. Too many includes = broken SPF.

Never moving beyond p=none Monitoring without enforcement doesn't protect you. The goal is p=reject.

What We Do

We configure email authentication properly for all our managed clients:

  • SPF, DKIM, and DMARC configured
  • All legitimate sending sources identified
  • Path to enforcement
  • Ongoing monitoring
We also help organisations who've tried to configure this themselves and broken something. It's more nuanced than it appears.

---

Want to check your email authentication? Try our free Domain Health Check or talk to us.

---

Related Questions