In plain English
Email spoofing lets criminals send emails that look like they came from your domain — your brand in the From field, your email address, your company name. Without SPF, DKIM, and DMARC in place, receiving mail servers have no way to verify the email is genuine. Spoofed emails are the starting point for invoice fraud, CEO impersonation, and phishing campaigns targeting your customers and suppliers.
Full definition
Email spoofing is possible because the original email protocol (SMTP) has no built-in mechanism to verify that a sending server is authorised to send email on behalf of a domain. The visible "From" address in an email is entirely separate from the server that actually delivers it — and without authentication records in DNS, anyone can set any From address they like.
limits which servers can send email for your domain. adds a cryptographic signature to prove emails weren't tampered with. ties both together and tells receiving servers what to do when an email fails these checks — quarantine it or reject it outright. Together, all three protocols close the spoofing gap.
Even with all three configured, attackers can register lookalike domains (e.g. ironsights-au.com instead of ironsights.com.au) and send convincing impersonation emails from those domains. Brand monitoring and DMARC reporting help identify and respond to these campaigns early.