Prevent your email from being spoofed

What it is

Email spoofing is when an attacker sends an email appearing to come from your organisation’s domain. This can happen if your domain doesn't have SPF, DMARC, and DKIM security policies set.

SPF (Sender Policy Framework)

Allows you to tell others what servers are approved to send emails using your organisation's domain name. This might be your email servers and another server if you use another company to manage and send emails such as newsletters.
If you allow another company's servers to send emails on your behalf, and an attacker gets access to those servers, the attacker might be able to send emails on behalf of your domain too. That is where DKIM comes in.
DKIM (DomainKeys Identified Mail)

Allows your mail server (and other servers sending emails) to sign emails you send with a special key that is used to check that you created the email and others haven't modified it.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Allows you to tell others what you want to happen if they receive an email claiming to be from you but it doesn't pass SPF or DKIM checks. You can ask them to:
- allow the email through
- mark it as suspicious
- discard the email
- let you know about the email while still doing one of the above.

The risks

If your organisation's email is not secure, an attacker can impersonate you to trick people into giving them information, access, or money.

We often see attackers spoofing emails to send spam or gain sensitive information. If your domain doesn't have SPF, DMARC, and DKIM security policies set, an attacker can spoof your email. This often results in your:

clients replying to spoofed emails with sensitive information
customers paying fake invoices sent by attackers impersonating your organisation
vendors granting access to attackers after receiving a spoofed email request.

How to protect your business

If needed, talk to your IT provider

If you need help with implementation, talk to your IT provider.

You’ll need to determine where your email is sent from, and how you want spoofed, or failed, email messages to be dealt with.
Configure SPF, DKIM or DMARC and your domains

Tip

Attackers can still make their own domains that look similar to yours, but DMARC does prevent them from using your real domain name. Even better, with properly configured DMARC you’ll know if someone is trying to spoof your domain, as you’ll be notified about any email that gets rejected based on your DMARC settings.

It's important to implement security policies for domains that don't use email as well. Even if you know you don't send emails from that domain, other email providers may not realise this, and so attackers can still send emails that seem to come from your domain.

Configuring these doesn't have to be hard. Talk to your IT provider to see what they can do to help implement these protections.

For SPF and DMARC, it can be as simple as adding a few DNS records stating who you allow to send emails and what others should do if email verification checks fail.

For DKIM, you also add a DNS record, as well as some additional configuration on the email servers you use to sign emails.
Include all email campaign services you use in your DNS records

Email providers often have built-in security and spam filters. Without SPF, DKIM, and DMARC an email provider might mistakenly mark your email campaign as spam because it appears to come from an email campaign system rather than your normal mail server.
Use strict settings

You may want to start with more permissive settings, but once you are comfortable that it's configured correctly, move to stricter configurations.

For SPF, remember to only add the IP addresses you use to send emails – exclude all other IP addresses. Using "~all" will do this and typically mark the emails failing FPS as spam. Using "-all" will also do this and typically emails failing SPF will be discarded.

For DKIM, configuration typically requires generating two keys, a public and a private key. You configure your email server to use the private key to sign emails. You publish your public key in a DNS record.

For DMARC, set:
- a policy. You can start with "None" which will allow you to receive reports about what emails others are sending from your domain. Set the policy telling others to "quarantine" the email and eventually "reject" the email
- a reporting address. This will tell you about the emails others are receiving from your domain. This can help with identifying what services you are sending emails from, as well as if your domain is being spoofed.
Test your email after setting up DNS records

After setting up your DNS records, it's important to test them to make sure your legitimate mail gets through. These technologies can be set up in a 'soft fail' mode while you're testing, so you can check your email would have been delivered. You can then set it to 'hard fail' once you're reassured that your legitimate email is getting through.

Get help

If you think you’ve been spoofed, speak to your IT provider and follow the steps in your incident response plan.

Creating an incident response plan

You can also report an online security issue to CERT NZ.

Get help now

What to read next

Protect your business

Protect your business against email compromise

Browse all Protect your business

Outdated browser

Prevent your email from being spoofed

What it is

SPF (Sender Policy Framework)

DKIM (DomainKeys Identified Mail)

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

The risks

How to protect your business

If needed, talk to your IT provider

Configure SPF, DKIM or DMARC and your domains

Include all email campaign services you use in your DNS records

Use strict settings

Test your email after setting up DNS records

Get help

What to read next