OAuth 2.0

Email Spoofing Attacks: How SPF, DKIM, and DMARC Fail

Introduction

Email remains the most trusted and widely used communication channel for businesses. Invoices, password resets, approvals, and internal conversations all rely on it. However, this trust is exactly what attackers exploit through email spoofing attacks.

Many organisations believe they are protected because they have configured SPF, DKIM, and DMARC. On paper, these controls are designed to prevent spoofing. In reality, misconfigurations, weak enforcement, and misunderstandings allow attackers to bypass them every day.

In 2026, email spoofing attacks continue to drive phishing, fraud, and business email compromise incidents. Therefore, understanding why SPF, DKIM, and DMARC fail in practice is critical for securing modern email environments.

Difference between vulnerability assessment and penetration testing

What Are Email Spoofing Attacks?

Email spoofing attacks occur when an attacker sends emails that appear to come from a trusted domain or sender, even though the message was not authorised by that organisation.

To clarify this clearly:

  • The attacker does not need to compromise the real email account
  • The attacker forges the From address
  • The goal is to trick recipients into trusting the message

Spoofed emails are commonly used to:

  • Deliver phishing links
  • Request urgent payments
  • Reset passwords
  • Impersonate executives or vendors

Email spoofing works because email was originally designed without built-in sender authentication.

How Email Authentication Is Supposed to Work

To stop email spoofing, modern email systems rely on three mechanisms:

SPF (Sender Policy Framework)

SPF defines which mail servers are allowed to send email on behalf of a domain.

DKIM (DomainKeys Identified Mail)

DKIM uses cryptographic signatures to verify that email content has not been altered and that it came from an authorised domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when checks fail.

In theory, this combination should prevent spoofing. In practice, gaps appear.

Why SPF Fails in Real-World Environments

SPF is often the first line of defence, yet it frequently fails due to configuration issues.

Overly permissive policies

Using +all or weak mechanisms effectively allows anyone to send email for the domain.

Too many DNS lookups

SPF limits DNS lookups to 10. Complex configurations often exceed this limit, causing SPF to fail silently.

Third-party service sprawl

Marketing tools, CRM platforms, and support systems add sending sources that are never properly maintained.

Mail forwarding breaks SPF

Forwarded emails often fail SPF checks, leading administrators to weaken policies.

As a result, SPF alone rarely stops email spoofing attacks.

Why DKIM Breaks More Often Than Expected

DKIM is powerful, but it is fragile when mismanaged.

Missing or expired keys

Keys that are not rotated or published correctly cause verification failures.

Partial signing

Some systems sign only parts of the email, allowing manipulation elsewhere.

Misaligned domains

If the DKIM signing domain does not align with the visible sender, DMARC may still fail.

Infrastructure changes

Email routing changes often break DKIM without immediate visibility.

Because DKIM failures are silent, organisations may not realise they are exposed.

How DMARC Fails Despite Being Enabled

DMARC is designed to enforce policy, yet it is commonly deployed in a non-protective state.

Policy set to monitoring only

Many domains use p=none, which collects reports but allows spoofed emails through.

Alignment misunderstandings

Even valid SPF or DKIM results can fail DMARC if alignment rules are not met.

Fear of blocking legitimate mail

Organisations hesitate to move to quarantine or reject, leaving gaps open.

Ignored reports

DMARC reports are complex, so problems remain unresolved.

Therefore, having DMARC enabled does not mean email spoofing attacks are blocked.

How Email Spoofing Attacks Succeed Despite Controls

Attackers understand how email authentication fails in practice.

They exploit:

  • Weak enforcement policies
  • Misaligned domains
  • Third-party senders
  • Trust in familiar sender names

As a result, spoofed emails often land directly in inboxes, not spam folders.

Real-World Example

An attacker sends an email appearing to come from a company’s finance domain. The message requests an urgent invoice payment.

The domain has SPF, DKIM, and DMARC configured. However:

  • SPF allows multiple senders
  • DKIM alignment is broken
  • DMARC policy is set to none

The email passes through, reaches the recipient, and triggers a fraudulent payment.

This scenario explains why configuration quality matters more than configuration presence.

Why Email Spoofing Attacks Are Hard to Detect

Email spoofing blends into normal communication.

Messages look legitimate

Branding and sender names appear correct.

No malware involved

Many spoofing attacks rely purely on deception.

Authentication failures are invisible to users

End users cannot see SPF or DMARC results.

Low-volume attacks evade filters

Small, targeted campaigns bypass detection.

Because of this, prevention must be proactive.

Impact on Businesses / Individuals

For Businesses

  • Financial fraud and payment diversion
  • Brand impersonation
  • Business Email Compromise (BEC) incidents
  • Regulatory and compliance exposure
  • Loss of customer trust
  • Incident response costs

For Individuals

  • Credential theft
  • Financial loss
  • Account compromise
  • Privacy exposure
  • Long-term identity risks

How to Reduce Email Spoofing Risk

Reducing email spoofing attacks requires disciplined configuration.

Harden SPF policies

Limit senders and remove overly permissive rules.

Maintain DKIM properly

Rotate keys and ensure full message signing.

Enforce DMARC gradually

Move from monitoring to quarantine and rejection.

Monitor authentication reports

Use reports to identify unknown senders.

Align domains consistently

Ensure visible sender domains align with authentication domains.

Educate internal teams

Configuration changes should be security-reviewed.

Email spoofing and authentication failures are documented extensively in the official DMARC specification. Read more

Why Email Spoofing Is a Configuration Problem, Not a Protocol Problem

SPF, DKIM, and DMARC work as designed. Failures occur because of:

  • Complexity
  • Poor visibility
  • Fear of enforcement
  • Lack of ownership

Therefore, solving email spoofing attacks requires operational discipline, not new technology.

Conclusion

Email spoofing attacks persist because trust in email remains high and misconfigurations remain common. Although SPF, DKIM, and DMARC are powerful, they only work when implemented correctly and enforced confidently.

In 2026, organisations must move beyond checkbox compliance and treat email authentication as a critical security control. At eSHIELD IT Services, we help businesses identify authentication gaps, reduce spoofing risk, and protect digital trust across communication channels.

FAQ

What are email spoofing attacks?

They involve forging sender addresses to impersonate trusted domains.

Does having SPF stop spoofing?

No, SPF alone is not sufficient.

Can DKIM prevent email spoofing?

Only when configured and aligned correctly.

Why does DMARC fail so often?

Because many domains do not enforce blocking policies.

Is DMARC mandatory?

It is strongly recommended but not mandatory.

Do spoofed emails always go to spam?

No, many land in inboxes.

Are spoofing attacks the same as phishing?

Spoofing is often used to enable phishing.

Can users detect spoofed emails?

Not reliably without technical indicators.

Is email still dangerous in 2026?

Yes, it remains a primary attack vector.

Who should manage email authentication?

Security and IT teams together.

Call Us