How to Prevent Email Spoofing: A Technical Guide for UK Organisations
Email spoofing lets attackers forge your company domain in phishing attacks. This guide covers the technical steps — SPF, DKIM, DMARC, and MTA-STS — to close the gap completely.
The spoofing problem
Email protocols were designed for connectivity, not security. The SMTP standard allows the From: header to say anything. Without additional controls, any server on the internet can send an email that appears to come from your company's domain — and many email clients will display it without any warning.
This is how business email compromise begins. An attacker sends a convincing invoice, payment instruction, or credential request that appears to come from your CEO, your finance team, or a trusted supplier. The NCSC estimates BEC attacks cost UK businesses over £100 million annually.
The three-layer defence
Layer 1: SPF limits who can send
Sender Policy Framework lists the mail servers authorised to send email for your domain. Receiving servers check this list. If the sending server is not listed, the message fails SPF.
SPF alone is not enough because it only checks the envelope sender (used in SMTP), not the From: header that users see. Attackers can pass SPF by using their own domain in the envelope while spoofing yours in From:.
Layer 2: DKIM proves the message is genuine
DomainKeys Identified Mail signs each outgoing message with a private key. The matching public key is in DNS. Receiving servers verify the signature. A valid DKIM signature proves the message came from a server with your private key and has not been altered in transit.
DKIM survives forwarding (where SPF often breaks), making it more robust for mailing lists and email forwarding chains.
Layer 3: DMARC ties it together and enforces policy
DMARC checks that either SPF or DKIM (or both) pass and that the authenticated domain aligns with the From: header domain. If alignment fails, your DMARC policy says what to do: nothing (p=none), quarantine to spam (p=quarantine), or reject outright (p=reject).
DMARC with p=reject closes the spoofing gap almost completely. An attacker cannot forge your From: domain and have the message delivered to a properly configured receiving mail server.
MTA-STS: protecting the mail channel itself
The above controls protect the From: address. MTA-STS (Mail Transfer Agent Strict Transport Security) protects the connection between mail servers, requiring TLS and preventing downgrade attacks where an attacker intercepts the unencrypted SMTP conversation to modify messages in transit.
Publish a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt and a TXT record at _mta-sts.yourdomain.com.
Check your spoofing exposure now
VP Shield shows your email spoofing exposure with a clear risk assessment — if your domain can currently be spoofed, it will say so plainly. The check covers SPF presence and strength, DKIM status, DMARC policy level, and DMARC alignment.
If you have a p=none DMARC policy, your domain can currently be spoofed and your DMARC record just generates reports. Fix it by moving to p=quarantine then p=reject once you have reviewed your aggregate reports for 2–4 weeks.