What Is Email Spoofing? How It Works and How to Stop It (2026)
Email spoofing lets attackers send messages that appear to come from anyone — your bank, your CEO, or your best friend. Here is exactly how it works, the four main variants attackers use, and how modern authentication standards (SPF, DKIM, DMARC) close the gaps.
What Is Email Spoofing?
Email spoofing is the forgery of an email's sender address so that the message appears to originate from a source it does not. The underlying email protocol — SMTP (Simple Mail Transfer Protocol) — was designed in the 1970s with no built-in sender authentication. Any mail server can assert any From: address, and by default receiving servers have no way to verify the claim.
This is not a bug that was patched long ago — it is a fundamental property of the protocol that billions of emails still rely on. While authentication standards (SPF, DKIM, DMARC) now exist, adoption is uneven. The Anti-Phishing Working Group (APWG) reported in Q1 2026 that 31% of phishing attacks observed used some form of sender identity forgery, and display-name spoofing specifically affected over 3.4 billion emails per day.
From: security@paypal.com
Reply-To: support@paypal-helpdesk.ru
Subject: Your account has been limited
What your email client shows vs what the email actually contains
The Four Types of Email Spoofing
Display Name Spoofing
Difficulty: TrivialThe attacker sets the friendly display name to something trusted ("PayPal Support" or "CEO John Smith") but uses a completely unrelated sending address. The real address is often only visible if you click to expand the sender details — most users never do.
Example
Display name: "Chase Bank" — actual address: chase-alert@totally-random-domain.net
Domain Spoofing
Difficulty: ModerateThe attacker forges the From: header to show the exact domain of the impersonated organization (e.g. alerts@paypal.com). This requires finding mail servers that do not check the From: header against authentication records, or exploiting domains with no DMARC policy.
Example
From: security@paypal.com — but sent through a mail server unrelated to PayPal
Lookalike Domain Spoofing
Difficulty: LowThe attacker registers a domain that looks nearly identical to the real one — using character substitution (paypa1.com), extra words (paypal-security.com), or different TLDs (paypal.net). The domain is technically real, making SPF and DKIM pass, but it is not the legitimate organization.
Example
From: security@paypa1.com or billing@paypal-secure-alerts.com
Reply-To Spoofing
Difficulty: TrivialThe From: address appears legitimate but the Reply-To header points to an attacker-controlled address. When the victim clicks reply, their response goes to the attacker. The original email may pass all authentication checks because it came from the stated domain.
Example
From: ceo@company.com — Reply-To: ceo.personal@gmail.com
How Email Spoofing Works Technically
When you send an email, two separate identities are involved: the envelope sender (used by mail servers during transmission, like the return address on an envelope) and the header From: (the address displayed in your email client, like the name printed on the letter inside).
SMTP requires that mail servers communicate honestly about the envelope sender — but the header From: is just text in the email body that the client displays. Setting it to anything requires no special access or technical exploit. A basic Python script can send an email claiming to be from president@whitehouse.gov in under ten lines of code.
In practice, attackers use legitimate mail services (their own VPS running Postfix, compromised mail servers, or bulk-sending APIs that do not enforce From: restrictions) to deliver spoofed messages at scale. Some free webmail providers allow setting arbitrary From: addresses, though most major providers now restrict this.
How SPF, DKIM, and DMARC Stop Spoofing
Three DNS-based standards form the primary defence against email spoofing. They work at the domain level, not the individual email level — domain owners must configure and publish them:
A DNS TXT record that lists IP addresses authorized to send email for a domain.
Limitation: Only checks the envelope sender (MAIL FROM), not the visible From: header. Breaks when email is forwarded.
A cryptographic signature added to the email header proving the message was sent by and not modified by an authorized server.
Limitation: Does not prevent display-name spoofing. Signatures may be stripped or re-signed by intermediaries.
Builds on SPF and DKIM, requiring at least one to pass and aligning the result with the visible From: domain. Domain owners can instruct receiving servers to quarantine or reject failing messages.
Limitation: Only effective if the sender domain has published a DMARC policy with p=quarantine or p=reject. Many domains still use p=none (report only).
Allows organizations to display their verified logo beside authenticated emails in supporting clients (Gmail, Yahoo, Apple Mail).
Limitation: Requires DMARC at enforcement level. Relatively new and not yet universally supported.
Even with all three deployed, spoofing is not fully eliminated. Display-name spoofing does not trigger authentication failures (the address is real — only the name is deceptive). Lookalike domains pass SPF and DKIM because they are legitimate domains, just not the legitimate organization. DMARC only helps if the impersonated domain has published a strict policy.
Warning Signs of a Spoofed Email
- The display name matches a company you know but the actual email address does not match their domain
- The email asks you to reply — and the reply-to address is different from the from address
- A familiar company's email address is off by one character: paypa1.com, amaz0n.com, microsofft.com
- Urgent requests for payment, gift cards, or login credentials, especially with instructions to act immediately
- An unexpected email from an executive or bank that asks you to keep the communication confidential
- The email domain is legitimate but the content is inconsistent with how that sender normally communicates
- Email headers (visible in "Show original" in Gmail) show the email originated from a server unrelated to the stated domain
How to Check If an Email Is Spoofed
Every email contains a set of technical headers that record its path from sender to recipient. These headers are hidden by default but are visible in every major email client:
Gmail
Open the email → click the three-dot menu (⋮) → "Show original"
Outlook
Open the email → File → Properties → Internet headers section
Apple Mail
View → Message → All Headers
In the headers, look for the Authentication-Results header. It will show whether SPF, DKIM, and DMARC passed or failed. A failed SPF result on a message claiming to be from paypal.com is a near-certain indicator of spoofing.
Also check the Received headers (read bottom-to-top) — they show the actual mail servers that relayed the message. If an email claims to be from chase.com but the originating IP belongs to a server in an unrelated country or cloud provider, it is spoofed.
How Gorganizer Detects Spoofed Emails
Gorganizer's scoring engine analyses every email against 1,018+ signals — including a dedicated set for spoofing detection. The engine checks SPF and DKIM authentication results in the headers, identifies display-name mismatches, flags Reply-To/From domain divergence, detects lookalike domain character substitution, and identifies forged "forwarded message" formatting used in BEC attacks.
These signals combine with subject, body, and sender analysis to produce a confidence score for each email. Spoofed emails with low scores go to trash; borderline cases get a Review label so you can decide. Nothing is permanently deleted without your explicit action.
Scan your inbox for spoofed emails →Frequently Asked Questions
What is email spoofing?▼
Email spoofing is when an attacker sends an email with a forged sender address — making the message appear to come from a trusted person or organization it does not actually originate from. The From: field you see in your email client can be set to anything; the underlying email protocol (SMTP) has no built-in authentication by default.
Is email spoofing illegal?▼
Yes, in most jurisdictions. In the United States, the CAN-SPAM Act prohibits deceptive headers and sender information. Computer fraud statutes (including the CFAA) also apply when spoofing is used to commit fraud, impersonation, or unauthorized access. In the EU, spoofing used to commit fraud is prosecutable under cybercrime directives.
Can spoofed emails pass spam filters?▼
Some can, especially if the sending domain has valid SPF/DKIM records or if the attacker is spoofing the display name only (not the actual address). Display-name spoofing — where the name says "CEO John Smith" but the address is john@random-domain.com — is extremely common and often passes automated filters because the address itself is technically valid.
What is the difference between spoofing and phishing?▼
Spoofing refers specifically to forging the sender identity. Phishing is the broader attack — it uses spoofing (among other techniques) to deceive the recipient into clicking a link, entering credentials, or taking a harmful action. All phishing uses some form of identity deception; not all spoofing is phishing (it can also be used in spam or BEC fraud).
How do SPF, DKIM, and DMARC stop spoofing?▼
SPF (Sender Policy Framework) lets a domain publish which mail servers are allowed to send on its behalf — receiving servers reject mail from unauthorized sources. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each email that proves it was not modified in transit and originated from the stated domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) combines SPF and DKIM and lets domain owners specify what to do with failing messages (quarantine or reject). Together they form the primary technical defence against spoofing.