This is the scam that does not touch your systems at all. Your passwords are fine, your computers are fine, nothing has been breached. Someone simply writes your domain into the From line of an email and sends it to your clients, and unless you have set your domain up to prevent it, the message sails into their inbox looking exactly like you.

It matters here more than most people realise. In its 2023-24 report, the Australian Signals Directorate recorded almost $84 million in self-reported losses to business email compromise, the fraud category this kind of impersonation feeds, at an average of more than $55,000 per confirmed incident. Those are not faceless multinationals. A large share of them are ordinary Australian businesses that trusted an email that was not what it appeared to be.

The good news is that three settings on your domain make this much harder to pull off. They are called SPF, DKIM and DMARC, and most businesses we look at have one or two of them in place and the third either missing or quietly misconfigured. That gap is usually all it takes.

Why anyone can send email in your name

Email was designed in a more trusting era, and it shows. The system that carries mail does not, on its own, verify that a sender is who they say they are. The From line on a message is worth about as much as the return address biroed onto the back of an envelope: you can write anyone's name there, and it still gets delivered.

That is the whole trick. A scammer types your domain into the From field, hits send, and if your domain has not been set up to say otherwise, the server on the receiving end has nothing to object to. The email turns up in your client's inbox wearing your name. The ACSC publishes anti-spoofing guidance for exactly this reason, because email in its default state hands you no protection whatsoever.

Spoofing breaks into nothing. It simply relies on email never checking, by itself, who the sender really is.

The three records that shut it down

Three DNS records work as a team to prove a message genuinely came from you. You set them up once, wherever your domain's DNS is hosted, and from then on every receiving mail server tests them against anything claiming to be from your domain.

SPF, the approved-sender guest list

SPF (Sender Policy Framework) is, in effect, a guest list you publish in DNS: the set of mail servers entitled to send on your domain's behalf. A server that receives one of your messages can look up that list and check whether the machine it actually came from belongs there. When something sends as your domain from an address you never sanctioned, that mismatch is what SPF exposes.

DKIM, the wax seal

DKIM (DomainKeys Identified Mail) presses a cryptographic seal onto each message you send. Your mail server keeps a secret key it uses to sign outgoing email, and it publishes the matching half of that key openly in your DNS. Any recipient's server can test the seal, which proves two things in one go: the message really originated with your domain, and its contents were not meddled with in transit.

DMARC, the rule and the paper trail

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the layer that turns those two checks into an enforceable policy, and it does three jobs. It instructs receiving servers on how to treat a message that fails. It insists that the address your recipient actually sees matches the domain SPF and DKIM just validated, which is the specific move that defeats a forgery of your exact address. And it feeds a steady stream of reports back to you, naming everything sending mail under your domain, the genuine services and the imposters together.

The DMARC setting most businesses get wrong

Slow down here, because this is where good intentions quietly stall one step short of actually working. DMARC offers three policy levels.

  • p=none asks receiving servers to take no action on a failing message. It observes and reports, nothing more, and your domain stays wide open to spoofing.
  • p=quarantine asks them to slide failing messages into the junk folder.
  • p=reject asks them to turn failing messages away before they ever land.

Enormous numbers of businesses switch DMARC on at none, enjoy the reports for a few weeks, and simply never advance. At none, you have visibility and no defence. Protection does not begin until quarantine or reject. Microsoft's own advice is to progress toward reject once you are confident your real mail passes. A domain parked on none has done the difficult four-fifths of the work and halted immediately before the part that pays off.

DMARC on "monitor only" is a smoke alarm with the siren unplugged. It notices the fire and tells nobody who can act.

What these records do not stop

SPF, DKIM and DMARC defeat a forgery of your exact domain. They are not a full suit of armour, and pretending otherwise would be dishonest. Two gaps deserve a mention.

Lookalike domains. Nothing stops a scammer buying a domain that merely resembles yours, yourbusiness-invoices.com perhaps, or yourbusiness.co in place of your .com, and sending from that instead. It is a domain they legitimately own, so your records have no jurisdiction over it.

Display-name spoofing. The friendly name a recipient reads first can be set to say "Your Business Accounts" while the real address lurking behind it is a disposable Gmail. DMARC examines the domain and pays that display name no attention at all.

For both, you are back to the habits that catch any phishing attempt: read the full address rather than the name in front of it, and confirm any request to change payment details by ringing a number you already know, never one offered inside the email. It is the same discipline we wrote about in quishing, the QR code scam your email filter cannot see, and the reason we keep saying that the team who is sure they can spot phishing is the team most worth worrying about.

This matters even if you barely send email

There are two reasons to bother, and only one of them is about scammers.

The first is protection: these records deny criminals the use of your domain as a mask against the people who trust it, your clients, your suppliers and your own team, which is exactly the pathway behind those ASD business email compromise figures.

The second is that your everyday email is now less likely to arrive at all without them. From February 2024, Google and Yahoo drew a line: any high-volume sender, defined as more than 5,000 messages a day, must authenticate with all three records or watch its mail get filtered. Microsoft followed across Outlook.com and Hotmail during 2025, first diverting non-compliant bulk mail to junk and then turning it away outright. You do not need to be anywhere near 5,000 a day for this to bite, because a properly authenticated domain earns more inbox trust than one without, at any volume. Getting it right protects your reputation and your deliverability in a single move.

How to check, and how to fix it safely

You can get a rough read on where you stand in a minute or two, without touching anything technical. Plenty of free online tools will take your domain name and report which of the three records are published. That answers the presence question, not the correctness one, and correctness is where the real story usually hides.

Setting them right is work for whoever runs your IT or your domain, because it all lives in DNS and one careless change can bury your own legitimate mail in spam. Done properly, it is staged rather than flipped on in a single move:

  • Get SPF and DKIM published so that every genuine source of your mail is accounted for, including any third-party services (a CRM, an accounting package, a marketing tool) that send on your behalf.
  • Introduce DMARC at p=none and live with the reports until you are certain nothing legitimate is failing.
  • Tighten DMARC to p=quarantine, and then to p=reject, once those reports come back clean.

This is the same measured path Microsoft recommends, from none toward reject, so you finish protected without a single one of your own messages caught in the crossfire. It is not a large undertaking. For most businesses it is an afternoon of careful setup followed by a few weeks of reading reports.

Where we land on this

If you take one thing from this, make it a single question to whoever looks after your IT: is our DMARC set to reject, and does all our real mail pass? If the answer is "we are on none" or "I am not sure," your domain is very likely spoofable today, and closing that is quick, permanent and cheap. It is exactly the sort of unglamorous groundwork that sits behind AgileSECURE, and if you would like us to check your domain and set it up properly, that is a short conversation with a clear answer at the end of it.

Frequently asked questions

What is email spoofing?

It is the trick of putting your domain into an email's From address so the message appears to come from your business when it did not. Criminals use it to talk clients, suppliers or staff into paying a bogus invoice, switching bank details, or giving up information. Nothing of yours has to be hacked for it to work, which is precisely why it is so widespread.

What are SPF, DKIM and DMARC in plain terms?

They are three entries you add to your domain's DNS. Think of SPF as an approved-sender guest list, DKIM as a wax seal that proves a message is genuinely yours and unopened, and DMARC as the rule that decides what happens to anything failing those first two checks, while quietly reporting back to you on everyone sending mail under your name.

Does DMARC stop every kind of email impersonation?

No, and anyone who tells you it does is overselling it. DMARC defeats a forgery of your exact domain. It has no power over a lookalike domain the attacker actually owns, such as yourbusiness-invoices.com, nor over display-name tricks where the sender name reads like your business but the address behind it is some throwaway account. Those still come down to people reading the real address and confirming money requests by phone.

Will turning on DMARC block my own emails?

Only if you rush it. Beginning at p=none lets you sit and read the reports until you are satisfied every one of your genuine mail streams passes, and only then do you tighten to quarantine and reject. The horror stories all come from someone flipping straight to reject before checking, and watching their own invoices land in customers' spam.

Do I need these records if my business does not send much email?

Yes. Their protective job has nothing to do with how much mail you send: they stop your domain being worn as a disguise. On top of that, Google, Yahoo and Microsoft now lean on authentication when deciding what reaches an inbox, so even a low-volume domain is better off with the records than without them.

How do I check whether my domain is protected?

In a minute or two, a free online lookup will tell you which of the three records your domain publishes. What it cannot tell you is whether they are configured correctly, and that is the part that decides whether you are actually protected. Confirming and correcting it safely is work for whoever runs your IT, because it lives in DNS and a clumsy edit can bury your own mail in spam.