What it is
Email spoofing is when an attacker sends an email appearing to come from your organisation’s domain. This can happen if your domain doesn't have SPF, DMARC, and DKIM security policies set.
Unfortunately you are viewing this website on an outdated browser which does not support the necessary features for us to provide an adequate experience.
Please switch to a modern browser such as latest version of Google Chrome, Mozilla Firefox, Apple Safari or Microsoft Edge.
You can set up security controls for your business domain to help prevent attackers from impersonating your organisation’s email addresses.
Email spoofing is when an attacker sends an email appearing to come from your organisation’s domain. This can happen if your domain doesn't have SPF, DMARC, and DKIM security policies set.
Allows you to tell others what servers are approved to send emails using your organisation's domain name. This might be your email servers and another server if you use another company to manage and send emails such as newsletters.
If you allow another company's servers to send emails on your behalf, and an attacker gets access to those servers, the attacker might be able to send emails on behalf of your domain too. That is where DKIM comes in.
Allows your mail server (and other servers sending emails) to sign emails you send with a special key that is used to check that you created the email and others haven't modified it.
Allows you to tell others what you want to happen if they receive an email claiming to be from you but it doesn't pass SPF or DKIM checks. You can ask them to:
If your organisation's email is not secure, an attacker can impersonate you to trick people into giving them information, access, or money.
We often see attackers spoofing emails to send spam or gain sensitive information. If your domain doesn't have SPF, DMARC, and DKIM security policies set, an attacker can spoof your email. This often results in your:
If you need help with implementation, talk to your IT provider.
You’ll need to determine where your email is sent from, and how you want spoofed, or failed, email messages to be dealt with.
Configuring these doesn't have to be hard. Talk to your IT provider to see what they can do to help implement these protections.
For SPF and DMARC, it can be as simple as adding a few DNS records stating who you allow to send emails and what others should do if email verification checks fail.
For DKIM, you also add a DNS record, as well as some additional configuration on the email servers you use to sign emails.
Email providers often have built-in security and spam filters. Without SPF, DKIM, and DMARC an email provider might mistakenly mark your email campaign as spam because it appears to come from an email campaign system rather than your normal mail server.
You may want to start with more permissive settings, but once you are comfortable that it's configured correctly, move to stricter configurations.
For SPF, remember to only add the IP addresses you use to send emails – exclude all other IP addresses. Using "~all" will do this and typically mark the emails failing FPS as spam. Using "-all" will also do this and typically emails failing SPF will be discarded.
For DKIM, configuration typically requires generating two keys, a public and a private key. You configure your email server to use the private key to sign emails. You publish your public key in a DNS record.
For DMARC, set:
After setting up your DNS records, it's important to test them to make sure your legitimate mail gets through. These technologies can be set up in a 'soft fail' mode while you're testing, so you can check your email would have been delivered. You can then set it to 'hard fail' once you're reassured that your legitimate email is getting through.
If you think you’ve been spoofed, speak to your IT provider and follow the steps in your incident response plan.
Creating an incident response plan
You can also report an online security issue to CERT NZ.